search

BlackCatDevelopment / BlackCatCMS

BlackCat CMS is a PHP5, HTML5 content management system
https://blackcat-cms.org
Other
11 stars 9 forks source link

XSS (Stored) in Blackcatcms_v1.3.2 #385

Closed security-breachlock closed 5 years ago

security-breachlock commented 6 years ago

Affected software: Blackcatcms_v1.3.2

Type of vulnerability: XSS (Stored)

Discovered by: BreachLock

Website: https://www.breachlock.com

Author: Balvinder Singh

Description: Stored attacks are those where the injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information. Stored XSS is also sometimes referred to as Persistent or Type-I XSS.

Proof of concept:

Step1: Login to the blackcat cms. Step2: URL: http://localhost/blackcatcms_v1.3.2/backend/pages/modify.php?page_id=5#cat_6 Go to the page title and add some malicious javascript into it. blackcat_page_title

Step3: Here the xss got executed for page title parameter. URL: http://localhost/blackcatcms_v1.3.2/willkommen.php?lang=DE execute_sepehle_xss

URL : http://localhost/blackcatcms_v1.3.2/default.aspximg-srcx-onerrorprompt28029.php blackcat

webbird commented 6 years ago

Thank you for checking BC and posting your results! We have informed our users by posting this into our security forum (which is accessible by registered users only). I will fix this issue asap.

webbird commented 6 years ago

https://github.com/BlackCatDevelopment/BlackCatCMS/releases/tag/1.3.3

This is only a fix for WYSIWYG sections as modules will have to include the appropriate code to purify the contents they store. But that's a common problem with WYSIWYG...

webbird commented 6 years ago

How to enable: Put this code snippet into the save.php of your module:

$r = $backend->db()->get_one(
    'SELECT * FROM `:prefix:settings` WHERE `name`="enable_htmlpurifier" AND `value`="true"'
);
if($r) {
    // use HTMLPurifier to clean up the contents
    $content = CAT_Helper_Protect::getInstance()->purify($content,array('Core.CollectErrors'=>true));
}
webbird commented 6 years ago

https://github.com/BlackCatDevelopment/BlackCatCMS_v2.0/issues/11

security-breachlock commented 6 years ago

Hi,

Thanks for your positive response,

Did you use CVE ID to track these bugs?

Looking forward to hearing from you.

webbird commented 6 years ago

Only in this issue.

Whoops, sorry, it's missing. Can you post the link here?