[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Chyrp CMS 2.5.2: XSS
From: "Curesec Research Team (CRT)" <crt () curesec ! com>
Date: 2015-10-30 9:39:18
Message-ID: 0M48SR-1aiH492lXP-00rpwD () mrelayeu ! kundenserver ! de
[Download RAW message or body]
Security Advisory - Curesec Research Team
1. Introduction
Affected Product: Chyrp CMS 2.5.2
Fixed in: not fixed
Fixed Version Link: n/a
Vendor Github: https://github.com/chyrp/chyrp
Vulnerability Type: XSS
Remote Exploitable: Yes
Reported to vendor: 09/01/2015
Disclosed to public: 10/07/2015
Release mode: Full Disclosure
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Vulnerability Description
There is an XSS vulnerability in Chyrp CMS 2.5.2. With this, it is possible \
to steal cookies, bypass CSRF protection, or inject JavaScript keyloggers.
The vulnerability exists because the key of all GET arguments is echoed \
without encoding.
3. Proof of Concept
http://localhost/chyrp/themes/firecrest/images/dots-green.gif?"></script><script>alert(1)</script>=1
4. Code
/includes/class/Theme.php:231
public function javascripts() {
$config = Config::current();
$route = Route::current();
$args = "";
foreach ($_GET as $key => $val)
if (!empty($val) and $val != $route->action)
$args.= "&".$key."=".urlencode($val);
$javascripts = \
array($config->chyrp_url."/includes/lib/gz.php?file=jquery.js",
\
$config->chyrp_url."/includes/lib/gz.php?file=plugins.js",
\
$config->chyrp_url.'/includes/javascript.php?action='.$route->action.$args);
5. Solution
This issue was not fixed by the vendor.
6. Report Timeline
09/01/2015 Informed Vendor about Issue (no reply)
09/22/2015 Reminded Vendor of disclosure date (no reply)
10/07/2015 Disclosed to public
Blog Reference:
http://blog.curesec.com/article/blog/Chyrp-CMS-252-XSS-61.html
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic