#1179 ✓resolved
Narendra Bhati

Possible 0 Days Security Issue???

Reported by Narendra Bhati | July 2nd, 2014 @ 08:27 PM | in User issues

Hello Exponent Security Team

I would like to inform you that your whole cms in vulnerable to XSS Attack

by using this an attacker can mentain the site access and keep track it also he is able to hijack admin session cookies
, these bugs in exist in your every part so please secure it as soon possile

waiting for the positive reply

Comments and changes to this ticket

  • Narendra Bhati

    Narendra Bhati July 3rd, 2014 @ 04:21 PM

    Hey there i think you didnt take a close look on the issue

    In attached screen shot i want to show you that your web application is vulnerable with XSS ( Cross Site Scripting Vulnerability ) by using this vulnerablity attacker can hijack the victim session,

    Read this for more information on - https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29

    the title box xss which i send you its just a demo of that your whole CMS is vulnerable with xss,
    In time of today many hacker or attacker want to create their own backdoor on web application for later use , now u r thinking that attacker can uploads the shell on web server but its seem tough , but instead of uploading shell now days attacker are using Stored XSS for creating a backdoor on web application for later use,

    Now here is the attack scene , an attacker can first hijack the admin panel and then can inject a xss payload in title or content box,
    Now after some days if web application admin paSSWORD IS changed then still the attacker is able to hijack the admin session with his previous uploaded xss payload , and he can also hijack the web application visitors session like admin session,

    So the point is that you should prevent any data to reflecting back to the page with proper filter or sanitization ,

    I got 20 different 0 Day XSS in different CMS in last 10 days, Some 0 Days XSS Are like your web application also , and they have decided to fix these issue

    Now if you are going to fix this issue , then its ok i am requesting you to assign me CVE ID after fixing ,

    If you are not planing to patch this then also reply me so i can publicly disclose it ,

    Good news is also is , not only title tag is vulnerable with XSS but your whole CMD is vulnerable with XSS

  • Narendra Bhati

    Narendra Bhati July 9th, 2014 @ 05:44 AM

    waiting for your reply

  • Narendra Bhati

    Narendra Bhati July 9th, 2014 @ 06:09 PM

    Hey give me a break..

    first let me know that are you aware about xss vulnerability or not , if no then ok i can explain you but if yes then i think you should not ask me about this impact and exploitation

  • expNinja

    expNinja July 9th, 2014 @ 06:17 PM

    • Assigned user set to “expNinja”

    In your zip file, you show screenshots of Javascript being inserted as part of the title tag content. However, in order to do this, you'd have to be logged in as an administrator already, and so gaining admin access wouldn't be necessary as the user already has it.

    What isn't clear to us is how someone with no access to an Exponent site could gain access. We're trying to assess the risk, but we're not clear on how this could be accomplished with the screenshots you've shown. If you could please explain how this could be accomplished, we can decide what to do from there.

    Thanks for taking the time.

  • Narendra Bhati

    Narendra Bhati July 9th, 2014 @ 06:21 PM

    ok let me send you exploitation ok

  • Narendra Bhati

    Narendra Bhati July 9th, 2014 @ 08:11 PM

    no your many parts are vulnerable with xss
    Now i want to introduce an another issue which is CSRF

    Because your web cmd in not using any kind of tokens for validation valid request
    an attacker can trick an user ( admin ) to perform some action which he not wanted to do .
    like an attacker can trick an user to submit a form with in title box , with XSS Payload which you saw in my zip attached file
    in your web cms there is no csrf tokens , so an attacker can send this page in email or insert on cms post comment and when admin will click this link the html page will open an automated title update request will be send to web server , which cause insert a hidden payload in title box with xss payload , which help an attacker

    you can also read this article of owasp -
    https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29

    POC Video Is Attached with this report , that how an attacker can insert the xss payload without getting access of website admin panel - Please also find the attachment

    so i have created a html page with these mention code

    Now


    <!-- CSRF PoC ---------------->

  • Narendra Bhati

    Narendra Bhati July 10th, 2014 @ 12:53 PM

    waiting for your reply ;-)

  • Narendra Bhati

    Narendra Bhati July 11th, 2014 @ 08:01 PM

    Still waiting for your reply

  • Narendra Bhati

    Narendra Bhati September 21st, 2014 @ 05:27 PM

    • Assigned user set to “expNinja”

    Any update ragarding the issue
    Hope you will apply for CVE Id

  • Narendra Bhati

    Narendra Bhati October 18th, 2014 @ 08:33 AM

    Any update regarding the issue or CVE ID ?

  • Narendra Bhati

    Narendra Bhati November 6th, 2014 @ 06:50 PM

    kindly read this i was talking about this issue
    https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

    and what about CVE ID for this issue ?

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป

Bug Tracker for Exponent CMS

Shared Ticket Bins

People watching this ticket

Attachments

Tags

Referenced by

Pages