OcPortal CMS 9.0.20 POC #11
Comments
|
For tracking purposes CVE request is: http://www.openwall.com/lists/oss-security/2015/12/19/2 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
As per the documentation of the Ocportal, a value in a template that is not meant to contain HTML is marked as an escaped value ({VALUE*}). This meant that ‘html entities’ are put in replacement of HTML control characters.
Here the VALUE that is marked with * symbol will be filtered with the XSS filter and it will be sanitized before displaying it to the user. But they forgot to mark FIELD_NAME in OCF_EMOTICON_CELL.tpl file.
\ocportal\themes\default\templates\OCF_EMOTICON_CELL.tpl
The View_all link besides the emoticons in the following screen is having this FIELD_NAME variable
The View_all link is sending the following GET request to the server
The following is the source code of emoticons.php file
\ocportal\data\emotions.php
The following is the code related to emoticons_script function in misc_scritps.php file
\ocportal\sources\misc_scripts.php
Code that is loading the template file with the user entered input
\ocportal\sources\misc_scripts.php
This code is reading the GET request parameter field_name and displaying it back to the user without filtering because of the variable is not marked with * symbol. Obviously it won’t go for any filtration.
GET request to emoticons.php with script vector as value of field_name
And the inserted payload is reflecting back to the user as shown in the following screen.
The text was updated successfully, but these errors were encountered: