Universal cross-site scripting in Exponent CMS 2.3.1 and prior
Reported by Mayuresh Dani | November 4th, 2014 @ 02:56 PM | in User issues
Hi,
We found a universal cross-site scripting while testing Exponent
CMS versions prior to 2.3.1. It can be verified by visiting -
http://www.exponentcms.org/news/show/title/time-for-a-heavy-harvest...
http://www.exponentcms.org/news/show/title/%22%3E%3Cscript%3Ealert%...
http://www.exponentcms.org/news/%22%3E%3Cscript%3Ealert%287%29%3C/s...
Seems like Exponent CMS builds the canonical path field from an unsanitized URL, which can be used to execute arbitrary scripts.
Also, another cross-site scripting vulnerability exists in
version 2.3.1 example -
http://localhost/exponent/index.php?int=&src=%22/%3E%3CSCRIPT%3...
Thanks,
Mayuresh Dani (mdani@qualys.com)
Narendra Shinde (nshinde@qualys.com)
Comments and changes to this ticket
-
Mayuresh Dani November 4th, 2014 @ 03:19 PM
Also a logged-in user can launch a similar attack simply by entering malicious java script into the "First Name" and "Last Name" fields on http://localhost/exponent/users/edituser. If you enter a simple script tag such as - and you save it, you get the screen shot that I have attached.
Thanks,
Mayuresh and Narendra -
expNinja November 5th, 2014 @ 02:12 PM
(from [f8e878bbe4619c2bcfe4b35ed2fc795e9e384f71]) Better job of scrubbing all params coming in either by sef or query url [#1230] https://github.com/exponentcms/exponent-cms/commit/f8e878bbe4619c2b...
-
expNinja November 5th, 2014 @ 02:37 PM
(from [c9a5dc3008834c01f9619215ddeb7ccf1aeefa9a]) More universal/efficient fix for scrubbing parameters [#1230] https://github.com/exponentcms/exponent-cms/commit/c9a5dc3008834c01...
-
expNinja November 5th, 2014 @ 06:28 PM
(from [082ab6e21a47940927407cc0bdc10875f5deb3fa]) Better job of scrubbing all params coming in either by sef or query url #1230 https://github.com/exponentcms/exponent-cms/commit/082ab6e21a479409...
-
expNinja November 5th, 2014 @ 06:28 PM
(from [e18e4d534f5b704954888a8dc9a6a0373fd54247]) More universal/efficient fix for scrubbing parameters #1230 https://github.com/exponentcms/exponent-cms/commit/e18e4d534f5b7049...
-
Mayuresh Dani November 11th, 2014 @ 11:06 AM
Okay. Would have really appreciated if you guys could have atleast mentioned us for reporting these vulnerabilities when releasing patches though. :-)
Please Sign in or create a free account to add a new ticket.
With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป
Bug Tracker for Exponent CMS