Stored XSS in multiple menus in flatpressblog/flatpress
Reported on
Dec 21st 2022
Description
The demo website is affected of stored XSS at multiple menus.
Proof of Concept 01
#1. Access to the demo website http://demos4.softaculous.com/
#2. Login with admin user they provide, press on menu Uploader, in Uploader tab, try to upload whichever file then choose Media manager tab.
#3. We can see that the file is uploaded there and the web app allows us to add new gallery. Write a payload xss there and press Add button (In this scenario, I used payload "><img src=x onerror=alert("XSS")>
#4. The payload will be triggered immediately.
Link: https://drive.google.com/file/d/1VpZVguIL0hc-ZK-quD4ZAfvsy38OQuMu/view?usp=sharing
Proof of Concept 02
#1. Access to the demo website and press on Entries menu.
#2. Choose the tab "Write Entry", in Textarea, write xss payload "><img src=x onerror=alert("XSS")>
#3. Press "Save & Continue" and the payload xss will be trigged in some places. (Watch PoC video for detail)
Link: https://drive.google.com/file/d/12zOYzQ4GWHW5QMIq5NkIViVaxpMRtQFD/view?usp=sharing
Note: This happen the same with menu Statics.
Impact
Be able to steal user's cookies.
Part 1 is valid, thanks for reporting. Part 2 is "as designed": Site admin is able to put custom HTML and JS into entries.
