Skip to content

Persistent XSS on 'Website's name' field (site_title) #150

Closed
@nathunandwani

Description

@nathunandwani

Hi guys, wonderful work on the CMS! I found a security issue on the website's name in the admin settings:

Stored cross-site scripting (XSS) vulnerability in the "Website's name" field found in the "Settings" page under the "General" menu in WityCMS 0.6.1 allows remote attackers to inject arbitrary web script or HTML via a crafted website name by doing an authenticated POST HTTP request to WityCMS/admin/settings/general.

This vulnerability is specifically the "Website's name" field. I noticed that it does strip off the tags <script> and </script> however, it isn't recursive. By entering this payload:

<scri<script>pt>alert(1)</scri</script>pt>

Javascript gets executed. Here's an output of the mentioned payload when entered and saved.
payload

The payload gets saved in the file: /system/config/config.php as a raw Javascript code:

savedconfig

When an unauthenticated user visits the page, the code gets executed:

unauthenticateduser

If the data is not sanitized upon input, these components are going to return arbitrary web script or HTML that can be rendered by the browser because it retrieves the script, hence, the possible "Affected Components" are as follow:
-Potentially all scripts using: /apps/user/front/lang/en.xml
-Potentially all scripts using: /apps/user/front/lang/fr.xml
-/apps/settings/admin/templates/general.html
-/apps/user/front/main.php
-/cache/templates/apps-settings-admin-templates-general.php

There may be more but I believe this can be fixed by recursively stripping out the tags <script> and </script>

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions