#3503 - Persistent XSS
| Identifier | #3503 |
|---|---|
| Issue type | Major issue (breaks an entire feature) |
| Title | Persistent XSS |
| Status | Completed |
| Handling member | Chris Graham |
| Addon | core |
| Description | Hi,
I found a stored XSS on Composr CMS version composr_quick_installer-10.0.13. |
| Steps to reproduce | After installation of Composr CMS. It will ask for some details like delete install.php, etc
In step wizard, step 3 having some details which are filled by a user. URL: http://localhost:880/composr_quick_installer-10.0.13/adminzone/index.php?page=admin-setupwizard&type=step3
Here site_name parameter is vulnerable to XSS.
|
| Additional information | I attached an image PoC which confirms the vulnerability.
Let me know if you need any more information regarding this vulnerability. Looking forward to hearing you. Best regards, Faiz Ahmed Zaidi [email protected] Information Security Researcher https://www.linkedin.com/in/faizzaidi |
| Funded? | No |
The system will post a comment when this issue is modified (e.g., status changes). To be notified of this, click "Enable comment notifications".
Comments
(Click to enlarge)
Thanks for the report.
This both is and isn't a security hole. By that I mean I agree it is a security hole, but it is not exploitable.
The Setup Wizard can only be run by a logged in webmaster, and thus no non-privileged user can set this.
Additionally, CSRF protection exists, such as tokens in forms, referrer checking, and session validation, to prevent remote control of this kind of thing.
Regardless, this will be fixed in our next patch release, and I do thank you for your report. We strive to fix all issues, even if we don't believe them to be exploitable.