Universal cross-site scripting in Exponent CMS 2.3.1 and prior
Reported by Mayuresh Dani | November 4th, 2014 @ 02:56 PM | in User issues
Hi,
We found a universal cross-site scripting while testing Exponent
CMS versions prior to 2.3.1. It can be verified by visiting -
http://www.exponentcms.org/news/show/title/time-for-a-heavy-harvest...
http://www.exponentcms.org/news/show/title/%22%3E%3Cscript%3Ealert%...
http://www.exponentcms.org/news/%22%3E%3Cscript%3Ealert%287%29%3C/s...
Seems like Exponent CMS builds the canonical path field from an unsanitized URL, which can be used to execute arbitrary scripts.
Also, another cross-site scripting vulnerability exists in
version 2.3.1 example -
http://localhost/exponent/index.php?int=&src=%22/%3E%3CSCRIPT%3...
Thanks,
Mayuresh Dani (mdani@qualys.com)
Narendra Shinde (nshinde@qualys.com)
-
Exponent-231.PNG
57.2 KB
Exponent-231.PNG
Comments and changes to this ticket
-
Mayuresh Dani November 4th, 2014 @ 03:19 PM
Also a logged-in user can launch a similar attack simply by entering malicious java script into the "First Name" and "Last Name" fields on http://localhost/exponent/users/edituser. If you enter a simple script tag such as - and you save it, you get the screen shot that I have attached.
Thanks,
Mayuresh and Narendra-
ExponentUser2.PNG
35.4 KB
-
-
expNinja November 5th, 2014 @ 02:12 PM
(from [f8e878bbe4619c2bcfe4b35ed2fc795e9e384f71]) Better job of scrubbing all params coming in either by sef or query url [#1230] https://github.com/exponentcms/exponent-cms/commit/f8e878bbe4619c2b...
-
expNinja November 5th, 2014 @ 02:37 PM
(from [c9a5dc3008834c01f9619215ddeb7ccf1aeefa9a]) More universal/efficient fix for scrubbing parameters [#1230] https://github.com/exponentcms/exponent-cms/commit/c9a5dc3008834c01...
-
expNinja November 5th, 2014 @ 06:28 PM
(from [082ab6e21a47940927407cc0bdc10875f5deb3fa]) Better job of scrubbing all params coming in either by sef or query url #1230 https://github.com/exponentcms/exponent-cms/commit/082ab6e21a479409...
-
expNinja November 5th, 2014 @ 06:28 PM
(from [e18e4d534f5b704954888a8dc9a6a0373fd54247]) More universal/efficient fix for scrubbing parameters #1230 https://github.com/exponentcms/exponent-cms/commit/e18e4d534f5b7049...
-
dleffler November 5th, 2014 @ 06:33 PM
- State changed from “new” to “resolved”
- Assigned user changed from “expNinja” to “dleffler”
This issue has been addressed in the development code (v2.3.2 pre-release) and a patch now exists for v2.1.4, v2.2.3, and v2.3.1
-
dleffler November 5th, 2014 @ 07:42 PM
- State changed from “resolved” to “open”
Reopened as we scrub too much out of the input
-
dleffler November 6th, 2014 @ 06:39 PM
- State changed from “open” to “resolved”
Correct fix now re-introduced in the patches and working code.
-
-
dleffler November 10th, 2014 @ 01:05 PM
- Tag set to “security”
ALL form input is scrubbed before passing into the system...in addition to standard processing, specifically 'script' tags are removed.
-
Mayuresh Dani November 11th, 2014 @ 11:06 AM
Okay. Would have really appreciated if you guys could have atleast mentioned us for reporting these vulnerabilities when releasing patches though. :-)
-
dleffler November 12th, 2014 @ 01:15 PM
- State changed from “resolved” to “open”
- Milestone set to “User issues”
-
-
dleffler November 13th, 2014 @ 04:10 PM
- State changed from “open” to “resolved”
Ok, the data corruption (adding rn's) was a magic quotes problem
ExponentUser2.PNG
Please Sign in or create a free account to add a new ticket.
With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.
Create new ticket
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป
Bug Tracker for Exponent CMS
People watching this ticket
dleffler
expNinja
Attachments
-
Exponent-231.PNG
57.2 KB
-
ExponentUser2.PNG
35.4 KB
Tags
Referenced by
-
1179
Possible 0 Days Security Issue???
Though we were never able to reproduce the specific issue...