Cross Site Scripting - Reflected

[ghost]

There is a XSS vulnerability without need for any authentication at all. It seems to be also present in the newest versions.

To reproduce: 1)If you created sample users such as "Avis", "Clark", "Raphael", etc , click on their photos on the home page. 2)The endpoint "/signup/" has parameters that are vulnerable to Cross Site Scripting. Here is an example: http://example.com/pH7-Social-Dating-CMS/signup/?ref=main&a=index&u=chaya-ward&f_n=Avis">

I hope it will be fixed because I really like this project. It should not be too difficult to sanitize those parameters.

[polynamaude]

@squelch0 Does not use the Smarty template. Has a somewhat "lookalike" template language but that's it.

[Undefined-Variables]

Tried this on my live production site and all I get is a 404 page not found.

[ghost]

@squelch0 Does not use the Smarty template. Has a somewhat "lookalike" template language but that's it.

Either way, template injection could be possible. Often if it's vulnerable to XSS it is also vulnerable to template injection if there is any template system involved.

[ghost]

@squelch0 Does not use the Smarty template. Has a somewhat "lookalike" template language but that's it.

Either way, template injection could be possible. Often if it's vulnerable to XSS it is also vulnerable to template injection if there is any template system involved.

and template injection could lead to Remote Code Execution.

[ghost]

Tried this on my live production site and all I get is a 404 page not found.

It could be because your live production site has a WAF.

okay the payload is ">

[ghost]

Tried this on my live production site and all I get is a 404 page not found.

It could be because your live production site has a WAF.

okay the payload is ">

try that instead of "

[polynamaude]

@squelch0 Sorry but part of what you say is wrong... First of all the template system only treat the code from a file, not from a stream. Second, maybe you should give us your version number because what you are telling use does not work. Could you either supply a screenshot or some proof, for example a W3AF log ?

[ghost]

@squelch0 Sorry but part of what you say is wrong... First of all the template system only treat the code from a file, not from a stream. Second, maybe you should give us your version number because what you are telling use does not work. Could you either supply a screenshot or some proof, for example a W3AF log ?

Okay, well nevertheless, there is a Cross Site Scripting vulnerability here that needs to be fixed. You can literally prove this by going to any live website and typing "> into the "f_n" parameters or "u" parameters.

[polynamaude]

@squelch0 Okay, one last shot here... On what damn version are you doing this ? I tried this on the latest version and it doesn't seem to work. And so did @Undefined-Variables

[Undefined-Variables]

@polynamaude He is up to something...

[Undefined-Variables]

My sever is under attack!

[ghost]

@squelch0 Okay, one last shot here... On what damn version are you doing this ? I tried this on the latest version and it doesn't seem to work. And so did @Undefined-Variables

I tried it on 15.4 stable.

[ghost]

My sever is under attack!

...what?

[ghost]

this is on my own website.

[ghost]

make sure you type ">

[ghost]

If anyone has Discord I can show you there.

[polynamaude]

@squelch0 Please keep polite, no trolling allowed here.

[Undefined-Variables]

You told me to try a url now my server is throwing alerts XSS on every site and all cpanels are you telling me thats chance? No

[Undefined-Variables]

I didnt open your url I tried

signup/?ref=main&a=index&u=chaya-ward&f_n=Avis"><script>alert('XSS')</script>

on the end of my url and did nothing but now it is popping up everywhere

[ghost]

I didnt open your url I tried

signup/?ref=main&a=index&u=chaya-ward&f_n=Avis"><script>alert('XSS')</script>

on the end of my url and did nothing but now it is popping up everywhere

Yes, exactly! That's why I reported this to you guys..

[polynamaude]

@Undefined-Variables We now have "Shit in the fan !"

[Undefined-Variables]

I'm looking in to what can be done to stop this now.

[ghost]

@Undefined-Variables We now have "Shit in the fan !"

Well, you are the security guy, right? It's not a bad vulnerability, it can be fixed easily using HTML entity encoding.

I have only tested this on my own websites

[Undefined-Variables]

This needs solving straight away!

[ghost]

I'm sorry for disclosing it publicly like this, but I figured it would be the best way to get it fixed.

[ghost]

You need to use htmlentities() function to convert symbols such as " > < to &quot &lt &gt

[Undefined-Variables]

yes but you can get around that by url encoding so what is the point?

[ghost]

yes but you can get around that by url encoding so what is the point?

I'm not sure the details of what you need to do. Like I said, I am new with this framework, but either way there needs to be a way to prevent dangerous characters like < > " or {}

[Undefined-Variables]

There are messures in place. I think we have shared enough to the world for now and like I said im looking in to it.

[Undefined-Variables]

I don't want to test it either as that was a nightmare. Ive had to reboot more than once to clear this.

[Undefined-Variables]

@squelch0 Thank you for reporting this! You have done the right thing and we are being highly suspicious. We get a lot of this kind of thing and normally it's rubbish.

Thanks

[ghost]

@squelch0 Thank you for reporting this! You have done the right thing and we are being highly suspicious. We get a lot of this kind of thing and normally it's rubbish.

Thanks

You're welcome! Haha, I understand, I know you get a lot of reports. It shouldn't be difficult to fix though. I have a website running this right now, and as long as it's not vulnerable to template injection it shouldn't be too severe. That's why the { } characters should be properly sanitized, to prevent template injection vulnerabilities.

[ghost]

I don't want to test it either as that was a nightmare. Ive had to reboot more than once to clear this.

I'm not sure how many servers you have running, but this should only make 1 pop-up alert saying "XSS". It shouldn't crash the server or anything unless it's something else.

[Undefined-Variables]

From what I have found in mod security log I am Speechless!! From that single call of that URL I have over 500 hits all XSS rules all at the same time.

That is no normal XSS attempt.

I can't find much about the components that make up the URI request except...

?ref=main relatrs to IPV4 addresses

&a=indexu has some link to iframe injection

And

Chaya-ward is most commonly referred to as a name, but pops up in owasp reports here and there so with all that considered I'd guess it is some form of callback

There are rules covering this in the framework which is why we don't see an initiate alert this is much more complex.

[ghost]

From what I have found in mod security log I am Speechless!! From that single call of that URL I have over 500 hits all XSS rules all at the same time.

That is no normal XSS attempt.

I can't find much about the components that make up the URI request except...

?ref=main relatrs to IPV4 addresses

&a=indexu has some link to iframe injection

And

Chaya-ward is most commonly referred to as a name, but pops up in owasp reports here and there so with all that considered I'd guess it is some form of callback

There are rules covering this in the framework which is why we don't see an initiate alert this is much more complex.

Hmm that is really odd. Are you getting attacked? I haven't checked my logs yet but I doubt anyone would start attacks after reading this so quickly. As long as the only problem is Reflected XSS it shouldn't be too severe. The only vulnerability with the XSS is if someone sends you a link to your own website with this payload, they can potentially steal your auth cookie or do "session fixation". Thankfully it doesn't appear to be "stored XSS".

[Undefined-Variables]

No not right now. Its odd how there are so many hits on mod securiry and all at the same time, all from my ip starting with that request. I have asked cloudflare what they think and they are looking in to it. They asked for the logs and normally are fast at answering but its been hours.

[ghost]

No not right now. Its odd how there are so many hits on mod securiry and all at the same time, all from my ip starting with that request. I have asked cloudflare what they think and they are looking in to it. They asked for the logs and normally are fast at answering but its been hours.

So the requests were from you? This bug shouldn't effect anything server side. The only vulnerability is when you send the link with the payload and someone clicks it. What I think could be happening here is called "Blind XSS". You should test this with xsshunter.com. It's helpful for tracking down Blind XSS triggers.

[ghost]

@Undefined-Variables I think what is happening is "Blind XSS". The payload is being processed by many different scripts, and with a template system between everything it could possibly execute the payload in many different areas.

[Undefined-Variables]

How did you find this?

[ghost]

How did you find this?

I do bug bounties and I'm hoping to make a career of Penetration Testing. I'm on HackerOne and other bug bounty platforms. This is a classic XSS and I found it just by manually testing those parameters. If you put a quote(") in the parameters you will see that whatever you input is directly reflected on the page , and the quote causes some problems. Anything you input into the "f_n" parameter can be treated as html. So you can actually for example put href tags and that should simply make a link render on the page (I tried showing an example just now but GitHub doesn't play nicely with quotes).

Here are my bug bounty profiles, I'm also on BugCrowd but I'm not active on there.

https://hackerone.com/squelch0 https://www.openbugbounty.org/researchers/squelch000

[polynamaude]

@Undefined-Variables It's a very simple classic case of reflected XSS. And it surprised me that it wasn't already being sanitized as it is supposed to be a secured and soooo secured software (as per the author).

Most automated testing framework will do this type of check in a automatic fashion.

[ghost]

@Undefined-Variables It's a very simple classic case of reflected XSS. And it surprised me that it wasn't already being sanitized as it is supposed to be a secured and soooo secured software (as per the author).

Most automated testing framework will do this type of check in a automatic fashion.

Yes I was surprised to find it although I tested all parameters with sqlmap and they seem to be secure against SQL injection. I also tried payloads like {{5*5}} to test for template injection, but I have no idea how the syntax works for ph7 yet. If you can get it to show 25 on the page, its vulnerable to template injection. Just gonna do black box testing then I will start looking at the source code. As long as all parameters use prepared statements there should be no SQL injection risk.

[ghost]

@Undefined-Variables It's a very simple classic case of reflected XSS. And it surprised me that it wasn't already being sanitized as it is supposed to be a secured and soooo secured software (as per the author).

Most automated testing framework will do this type of check in a automatic fashion.

I actually think this framework is quite good, it will just take some time to improve this young project and fix the bugs. Looking forward to finding more of the bugs to keep everything secure!

[Undefined-Variables]

Yeah SQL injection is impossible as it uses PDO prepaired statements. I have tried myself. The template system core file is found here https://github.com/pH7Software/pH7-Social-Dating-CMS/tree/master/_protected/framework/Layout/Tpl/Engine/PH7Tpl and is simular to smarty. See what you can find...

[pH-7]

Also, since the CMS uses Smarty templates, it could also be vulnerable to template injection, although I'm not sure if that is possible with GET requests.

FYI, pH7Builder (pH7CMS) uses pH7Tpl. A homemade template engine. Only the installation wizard still uses Smarty.

[pH-7]

Thanks very much for reporting this @squelch0!!! 💯 It seems that https://github.com/pH7Software/pH7-Social-Dating-CMS/commit/b52f033692a4d4fc512d0b161b39e19e28335541 opened an XSS hole that occurs in <link rel="canonical" href=""> value. I will patch it and release an update ASAP.

[pH-7]

-> Patch available here: https://github.com/pH7Software/pH7-Social-Dating-CMS/commit/ee647aa628a14aa8c0cc3654f4a7ee0e46354080, file _protected/framework/Navigation/Page.class.php, line 102.

@squelch0, @Undefined-Variables, @polynamaude

And it will also be included in the next release.

[ghost]

-> Patch available here: ee647aa

@squelch0, @Undefined-Variables, @polynamaude

And it will also be included in the next release.

Great job on the fast fix, thank you!

[pH-7]

Great job on the fast fix!

You're very welcome!

[Undefined-Variables]

@ph-7 Thank you great response and rapid fix :)

@squelch0 Thank you for reporting this :)