Home / os / winmobile

WonderCMS 0.9.8 Cross Site Scripting

Posted on 23 November 2016

============================================= MGC ALERT 2016-006 - Original release date: Nov 16, 2016 - Last revised: Nov 21, 2016 - Discovered by: Manuel Garcia Cardenas - Severity: 4,8/10 (CVSS Base Score) ============================================= I. VULNERABILITY ------------------------- Reflected XSS in WonderCMS <= v0.9.8 II. BACKGROUND ------------------------- WonderCMS is a simple, small & secure flat file CMS. III. DESCRIPTION ------------------------- Has been detected a reflected XSS vulnerability in WonderCMS, that allows the execution of arbitrary HTML/script code to be executed in the context of the victim user's browser. The code injection is done through the parameter "page" in the page "editinplace.php". IV. PROOF OF CONCEPT ------------------------- Malicious Request: /wonder/js/editinplace.php?page=<XSS injection> Example: /wonder/js/editinplace.php?page=<script>alert(1)</script> V. BUSINESS IMPACT ------------------------- An attacker can execute arbitrary HTML or script code in a targeted user's browser, this can leverage to steal sensitive information as user credentials, personal data, etc. VI. SYSTEMS AFFECTED ------------------------- WonderCMS <= v0.9.8 VII. SOLUTION ------------------------- Update to 0.9.9 version VIII. REFERENCES ------------------------- https://wondercms.com/ IX. CREDITS ------------------------- This vulnerability has been discovered and reported by Manuel Garcia Cardenas (advidsec (at) gmail (dot) com). X. REVISION HISTORY ------------------------- Nov 16, 2016 1: Initial release Nov 21, 2016 2: Last revision XI. DISCLOSURE TIMELINE ------------------------- Nov 16, 2016 1: Vulnerability acquired by Manuel Garcia Cardenas Nov 16, 2016 2: Send to vendor Nov 20, 2016 3: New version that includes patched code https://wondercms.com/forum/viewtopic.php?f=8&t=761 Nov 21, 2016 4: Sent to lists XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. XIII. ABOUT ------------------------- Manuel Garcia Cardenas Pentester

 

TOP