Reflected Cross Site scripting Vulnerability in Evolution CMS 2.0.x

[prasadlingamaiah]

Reflected Cross Site scripting Vulnerability

Description:
The second and the most common type of XSS is Reflected XSS (Non-persistent XSS). In this case, the attacker’s payload has to be a part of the request that is sent to the web server. It is then reflected back in such a way that the HTTP response includes the payload from the HTTP request. Attackers use malicious links, phishing emails, and other social engineering techniques to lure the victim into making a request to the server. The reflected XSS payload is then executed in the user’s browser.

Reflected XSS is not a persistent attack, so the attacker needs to deliver the payload to each victim. These attacks are often made using social networks.

Login to application

Goto the Document Manager and view the list of documents

there is a search perimeter insert xss payload as <ScRipT>alert("XSS");</ScRipT>

Effected URL
https://20.0.0.143/evolution-2.0.x/manager/#?a=112&id=1

Mitigation:

Output encoding: It is recommended to implement ‘output encoding’ to convert untrusted input into a safe form where the input is displayed as data to the user without executing as code in the browser. Java HTML encoding Function public static String HTMLEncode(String aTagFragment){      final StringBuffer result = new StringBuffer();      final StringCharacterIterator iterator = new                                     StringCharacterIterator(aTagFragment);      char character =  iterator.current();      while (character != StringCharacterIterator.DONE )      {        if (character == '<')  result.append("<");        else if (character == '>') result.append(">");        else if (character == '"')  result.append(""");        else if (character == ''')  result.append("'");        else if (character == '\') result.append("\");        else if (character == '&')  result.append("&");        else {             //the char is not a special one             //add it to the result as is             result.append(character);        }        character = iterator.next();      }      return result.toString();   } •          Escaping: Escape all untrusted data based on the HTML context (body, attribute, JavaScript, CSS, or URL) that the data will be placed into. EASPI API String safe = ESAPI.encoder().encodeForHTML( request.getParameter( "input" ) ); •          Filtering input parameter: Positive or "whitelist" input validation with appropriate canonicalization is the recommended filtering technique. Alternatively, black-list filtering input works by removing some or all special characters from your input. Special characters are characters that enable script to be generated within an HTML stream. Special characters include the following: <> " ' % ; ) ( & + - JavaScript Codefunction RemoveBad(strTemp) {     strTemp = strTemp.replace(/<|>|"|'|%|;|(|)|&|+|-/g,"");     return strTemp; }

While the issue was investigated, there were some backend updates done which apparently automatically mysteriously fixed the issue.

[prasadlingamaiah]

any update on closing this vulnerability

[prasadlingamaiah]

any update on this?