#1239 ✓resolved
Narendra Bhati

Whole CMS Is Vulnerable To Reflected XSS

Reported by Narendra Bhati | November 16th, 2014 @ 02:28 PM | in User issues

Hey Exponent CMS

want to report critical conditions of your cms , that your whole cms is vulnerable to Reflected XSS Attack

how ?
Lets see

suppose you heve this ur - http://127.0.0.1/exponent/users/userperms/mod/navigation/int/1

then you just have to xss payload at the end of the url - like this
http://127.0.0.1/exponent/users/userperms/mod/navigation/int/1&quot...;

every single page which have no parameter is vulnerable to same attack

just add "> in every single page which have no xss and you will get the js alert box

Comments and changes to this ticket

  • dleffler

    dleffler November 16th, 2014 @ 07:28 PM

    • Assigned user cleared.
    • Milestone set to User issues

    Are you reporting this as an issue with version 2.3.1patch4? Lighthouse tends to mangle tags in posts, but we are unable to reproduce this anomaly in v2.3.1patch4 (the current release).

    • Only a logged-in admin user could run this command (userperms) so the parameters wouldn't be acted on
    • We show only normal activity when adding a double quote, followed by an opening script tag, followed by 'alert(7);', followed by a closing script tag. (the payload is stripped out)

    If you are able to get this to occur in v2.1.4patch6, v2.2.3patch9, or v2.3.1patch4, please provide more details or a confirmation of my description of your specific url additions.

  • Narendra Bhati

    Narendra Bhati November 16th, 2014 @ 07:30 PM

    • Assigned user set to “expNinja”

    yaa right , i have downloaded the new version of your cms 4 days before !

    but for make me sure , kindly send me the link where i can download the new version !

  • Narendra Bhati

    Narendra Bhati November 16th, 2014 @ 07:33 PM

    i am 100% sure , that i am using 2.1.4 patch 6 which i have downloaded on 14 nov 2014

  • dleffler

    dleffler November 17th, 2014 @ 09:53 PM

    • Assigned user cleared.

    The version release package and the patches can be found at either of these locations:
    https://sourceforge.net/projects/exponentcms/files/
    https://github.com/exponentcms/exponent-cms/releases

    Current version is v2.3.1patch4 (install v2.3.1 followed by v2.3.1patch4)

    Patches were released for two older versions (latest release prior to a major update)
    v2.2.3patch9 (install v2.2.3 followed by v2.2.3patch9)
    v2.1.4patch6 (install v2.1.4 followed by v2.1.4patch6)

  • Narendra Bhati

    Narendra Bhati December 4th, 2014 @ 07:37 PM

    • Assigned user set to “expNinja”

    i checked that i am using the latest version which is vulnerable to XSS !

  • dleffler

    dleffler December 27th, 2014 @ 02:51 PM

    • State changed from “new” to “resolved”
    • Assigned user cleared.

    All XSS exploits are blocked in v2.3.2 (v2.1.4patch7 & v2.2.3patch10)

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป

Bug Tracker for Exponent CMS

Shared Ticket Bins

People watching this ticket

Tags

Pages