New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bedita CMS 3.6.0 – Publication Module Bug Report #8

Open
cybersecurityworks opened this Issue Oct 14, 2015 · 5 comments

Comments

Projects
None yet
2 participants
@cybersecurityworks
Owner

cybersecurityworks commented Oct 14, 2015

Details

Bedita CMS 3.6.0 – Publication Module Bug Report
Bug Name: XSS (Cross Site Scripting)
Version: 3.6.0
Last Updated: 31/08/2015
Homepage: http://www.bedita.com/
Severity High
Description: XSS vulnerability in Bedita CMS 3.6.0 Publication module

Proof of concept: (POC)

Issue:
POST request URL http://192.168.56.104/bedita/bedita-app/pages/showObjects/2/0/0/leafs of
Bedita CMS 3.6.0 is vulnerable to Cross Site Scripting (XSS)

poc_1

Figure 1: XSS Payload injected in the given URL http://192.168.56.104/bedita/beditaapp/pages/showObjects/2/0/0/leafs is reflected back in the response
poc_2

Figure 2: XSS Payload gets executed in the browser


Discovered by:
Arjun Basnet from Cyber Security Works Pvt Ltd

@batopa

This comment has been minimized.

batopa commented Oct 15, 2015

Hi @cybersecurityworks here a BEdita dev.
I'm trying to reproduce your POC without success.
I tried to edit the form action via js console and send the form but no alert appears.

I see you used Burp Suite, so I installed it and I'm trying to figure out how to use it to reproduce the attack. I configured Firefox to work with Burp setting Proxy and Burp intercepts every request I do from BEdita. From Burp I edit the POST url of the request intercepted appending "><script>alert(1);</script> and forward the request but nothing happens.

Please could you give me other informations on how to test the attack?
Thanks in advance

@cybersecurityworks

This comment has been minimized.

Owner

cybersecurityworks commented Oct 15, 2015

Hi batopa
Please find the steps below:

Login to the Bedita CMS 3.6.0
step_1
Click on Publication tab:
step_2
Now open your burp suite and turn on "intercept is on"
step_4
Go back to Bedita CMS 3.6.0 application and select "Contents" and click "ADD CONTENTS"
step_3
Once you click it will show pop up windows as follows
step_5
Go back to your burp suite GUI and you can see request intercepted now right click "send to repeater"
step_7
In "Repeater" you can modified the request by appending script(Please refer screenshots) and send request to the server. In Response you can see your payload.
step_8
Now right click on your response and send to "Show response in browser"
step_10
Copy burp suite response and pasted to your browser as follows
step_9

for further queries please feel free to contact us

@batopa

This comment has been minimized.

batopa commented Oct 16, 2015

The fix was committed bedita/bedita@a193208
Soon we'll prepare a new release.
Thanks for your help.

@cybersecurityworks

This comment has been minimized.

Owner

cybersecurityworks commented Oct 27, 2015

Good to know. Then, Is that possible for bedita or bedita development team to give at least credit for discovering this issue? If possible please provide credit to:

"Arjun from Cyber Security Works Pvt Ltd ( http://cybersecurityworks.com)"

This will keep our team motivated to keep on working on enhancing security. Thanks

@batopa

This comment has been minimized.

batopa commented Dec 11, 2015

And finally it's here https://github.com/bedita/bedita/releases/tag/v3.7.0
Sorry for the delay.
Many thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment