Closed security-breachlock closed 5 years ago
Thank you for checking BC and posting your results! We have informed our users by posting this into our security forum (which is accessible by registered users only). I will fix this issue asap.
https://github.com/BlackCatDevelopment/BlackCatCMS/releases/tag/1.3.3
This is only a fix for WYSIWYG sections as modules will have to include the appropriate code to purify the contents they store. But that's a common problem with WYSIWYG...
How to enable: Put this code snippet into the save.php of your module:
$r = $backend->db()->get_one(
'SELECT * FROM `:prefix:settings` WHERE `name`="enable_htmlpurifier" AND `value`="true"'
);
if($r) {
// use HTMLPurifier to clean up the contents
$content = CAT_Helper_Protect::getInstance()->purify($content,array('Core.CollectErrors'=>true));
}
Hi,
Thanks for your positive response,
Did you use CVE ID to track these bugs?
Looking forward to hearing from you.
Only in this issue.
Whoops, sorry, it's missing. Can you post the link here?
Affected software: Blackcatcms_v1.3.2
Type of vulnerability: XSS (Stored)
Discovered by: BreachLock
Website: https://www.breachlock.com
Author: Balvinder Singh
Description: Stored attacks are those where the injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information. Stored XSS is also sometimes referred to as Persistent or Type-I XSS.
Proof of concept:
Step1: Login to the blackcat cms. Step2: URL: http://localhost/blackcatcms_v1.3.2/backend/pages/modify.php?page_id=5#cat_6 Go to the page title and add some malicious javascript into it.
Step3: Here the xss got executed for page title parameter. URL: http://localhost/blackcatcms_v1.3.2/willkommen.php?lang=DE
URL : http://localhost/blackcatcms_v1.3.2/default.aspximg-srcx-onerrorprompt28029.php