
Universal cross-site scripting in Exponent CMS 2.3.1 and prior
Reported by Mayuresh Dani | November 4th, 2014 @ 02:56 PM | in User issues
Hi,
We found a universal cross-site scripting while testing Exponent
CMS versions prior to 2.3.1. It can be verified by visiting -
http://www.exponentcms.org/news/show/title/time-for-a-heavy-harvest...
http://www.exponentcms.org/news/show/title/%22%3E%3Cscript%3Ealert%...
http://www.exponentcms.org/news/%22%3E%3Cscript%3Ealert%287%29%3C/s...
Seems like Exponent CMS builds the canonical path field from an unsanitized URL, which can be used to execute arbitrary scripts.
Also, another cross-site scripting vulnerability exists in
version 2.3.1 example -
http://localhost/exponent/index.php?int=&src=%22/%3E%3CSCRIPT%3...
Thanks,
Mayuresh Dani (mdani@qualys.com)
Narendra Shinde (nshinde@qualys.com)
Comments and changes to this ticket
-
Mayuresh Dani November 4th, 2014 @ 03:19 PM
Also a logged-in user can launch a similar attack simply by entering malicious java script into the "First Name" and "Last Name" fields on http://localhost/exponent/users/edituser. If you enter a simple script tag such as - and you save it, you get the screen shot that I have attached.
Thanks,
Mayuresh and Narendra -
expNinja November 5th, 2014 @ 02:12 PM
(from [f8e878bbe4619c2bcfe4b35ed2fc795e9e384f71]) Better job of scrubbing all params coming in either by sef or query url [#1230] https://github.com/exponentcms/exponent-cms/commit/f8e878bbe4619c2b...
-
expNinja November 5th, 2014 @ 02:37 PM
(from [c9a5dc3008834c01f9619215ddeb7ccf1aeefa9a]) More universal/efficient fix for scrubbing parameters [#1230] https://github.com/exponentcms/exponent-cms/commit/c9a5dc3008834c01...
-
expNinja November 5th, 2014 @ 06:28 PM
(from [082ab6e21a47940927407cc0bdc10875f5deb3fa]) Better job of scrubbing all params coming in either by sef or query url #1230 https://github.com/exponentcms/exponent-cms/commit/082ab6e21a479409...
-
expNinja November 5th, 2014 @ 06:28 PM
(from [e18e4d534f5b704954888a8dc9a6a0373fd54247]) More universal/efficient fix for scrubbing parameters #1230 https://github.com/exponentcms/exponent-cms/commit/e18e4d534f5b7049...
-
dleffler November 5th, 2014 @ 06:33 PM
- State changed from new to resolved
- Assigned user changed from expNinja to dleffler
This issue has been addressed in the development code (v2.3.2 pre-release) and a patch now exists for v2.1.4, v2.2.3, and v2.3.1
-
dleffler November 5th, 2014 @ 07:42 PM
- State changed from resolved to open
Reopened as we scrub too much out of the input
-
dleffler November 6th, 2014 @ 06:39 PM
- State changed from open to resolved
Correct fix now re-introduced in the patches and working code.
-
-
dleffler November 10th, 2014 @ 01:05 PM
- Tag set to security
ALL form input is scrubbed before passing into the system...in addition to standard processing, specifically 'script' tags are removed.
-
Mayuresh Dani November 11th, 2014 @ 11:06 AM
Okay. Would have really appreciated if you guys could have atleast mentioned us for reporting these vulnerabilities when releasing patches though. :-)
-
dleffler November 12th, 2014 @ 01:15 PM
- State changed from resolved to open
- Milestone set to User issues
-
-
dleffler November 13th, 2014 @ 04:10 PM
- State changed from open to resolved
Ok, the data corruption (adding rn's) was a magic quotes problem
Please Sign in or create a free account to add a new ticket.
With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป
Bug Tracker for Exponent CMS
People watching this ticket
Attachments
Tags
Referenced by
-
1179 Possible 0 Days Security Issue??? Though we were never able to reproduce the specific issue...