Advisory: Persistent XSS Vulnerability in CMS Papoo Light v6
Advisory ID: SROEADV-2014-01
Author: Steffen Rösemann
Affected Software: CMS Papoo Version 6.0.0 Rev.4701
Vendor URL: http://www.papoo.de/
Vendor Status: fixed
CVE-ID:-==========================
Vulnerability Description:==========================
The CMS Papoo Light Version has a persistent XSS vulnerability in its guestbook functionality andin its user-registration functionality.==================
Technical Details:==================
XSS-Vulnerability #1:
Papoo Light CMS v6 provides the functionality to post comments on a guestbook via the following url: http://{target-url}/guestbook.php?menuid=6.
The input fields with the id „author“ is vulnerable to XSS which gets stored in the database and makes that vulnerability persistent.
Payload-Examples:<img src='https://www.exploit-db.com/exploits/35551/n' onerror=“javascript:alert('XSS')“ ><iframe src=“some_remote_source“></iframe>
XSS-Vulnerability #2:
People can register themselves on Papoo Light v6 CMS at http://{target-url}/account.php?menuid=2. Instead of using a proper username, an attacker can inject HTML and/or JavaScriptcode on the username input-field.
Code gets written to the database backend then. Attacker only has to confirm his/her e-mail address to be able to login and spread the code by posting to the forum or the guestbook where the username is displayed.
Payload-Examples:
see above (XSS #1)=========
Solution:=========
Update to the latest version
====================
Disclosure Timeline:====================13-Dec-2014 – found XSS #113-Dec-2014- informed the developers (XSS #1)14-Dec-2014 – found XSS #214-Dec-2014 – informed the developers (XSS #2)15-Dec-2014- release date of this security advisory
15-Dec-2014- response and fix by vendor
15-Dec-2014- post on BugTraq
========
Credits:========
Vulnerability found and advisory written by Steffen Rösemann.===========
References:===========
http://www.papoo.de/
http://sroesemann.blogspot.de
