[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [FD] Chyrp CMS 2.5.2: XSS
From:       "Curesec Research Team (CRT)" <crt () curesec ! com>
Date:       2015-10-30 9:39:18
Message-ID: 0M48SR-1aiH492lXP-00rpwD () mrelayeu ! kundenserver ! de
[Download RAW message or body]

Security Advisory - Curesec Research Team

1. Introduction

Affected Product:    Chyrp CMS 2.5.2
Fixed in:            not fixed
Fixed Version Link:  n/a
Vendor Github:       https://github.com/chyrp/chyrp
Vulnerability Type:  XSS
Remote Exploitable:  Yes
Reported to vendor:  09/01/2015
Disclosed to public: 10/07/2015
Release mode:        Full Disclosure
CVE:                 n/a
Credits              Tim Coen of Curesec GmbH

2. Vulnerability Description

There is an XSS vulnerability in Chyrp CMS 2.5.2. With this, it is possible \
to steal cookies, bypass CSRF protection, or inject JavaScript keyloggers.

The vulnerability exists because the key of all GET arguments is echoed \
without encoding.

3. Proof of Concept


http://localhost/chyrp/themes/firecrest/images/dots-green.gif?"></script><script>alert(1)</script>=1


4. Code


        /includes/class/Theme.php:231
                public function javascripts() {
                    $config = Config::current();
                    $route = Route::current();

                    $args = "";
                    foreach ($_GET as $key => $val)
                        if (!empty($val) and $val != $route->action)
                            $args.= "&".$key."=".urlencode($val);

                    $javascripts = \
                array($config->chyrp_url."/includes/lib/gz.php?file=jquery.js",
                
                                         \
                $config->chyrp_url."/includes/lib/gz.php?file=plugins.js",
                                         \
$config->chyrp_url.'/includes/javascript.php?action='.$route->action.$args);


5. Solution

This issue was not fixed by the vendor.

6. Report Timeline

09/01/2015 Informed Vendor about Issue (no reply)
09/22/2015 Reminded Vendor of disclosure date (no reply)
10/07/2015 Disclosed to public


Blog Reference:
http://blog.curesec.com/article/blog/Chyrp-CMS-252-XSS-61.html

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic