Aerosol Posted December 16, 2014 Report Posted December 16, 2014 Advisory: Persistent XSS Vulnerability in CMS Papoo Light v6Advisory ID: SROEADV-2014-01Author: Steffen RösemannAffected Software: CMS Papoo Version 6.0.0 Rev. 4701Vendor URL: http://www.papoo.de/Vendor Status: fixedCVE-ID: -==========================Vulnerability Description:==========================The CMS Papoo Light Version has a persistent XSS vulnerability in its guestbook functionality and in its user-registration functionality.==================Technical Details:==================XSS-Vulnerability #1:Papoo Light CMS v6 provides the functionality to post comments on a guestbook via the following url: http://{target-url}/guestbook.php?menuid=6.The input fields with the id „author“ is vulnerable to XSS which gets stored in the database and makes that vulnerability persistent.Payload-Examples:<img src='n' onerror=“javascript:alert('XSS')“ ><iframe src=“some_remote_source“></iframe>XSS-Vulnerability #2:People can register themselves on Papoo Light v6 CMS at http://{target-url}/account.php?menuid=2. Instead of using a proper username, an attacker can inject HTML and/or JavaScriptcode on the username input-field.Code gets written to the database backend then. Attacker only has to confirm his/her e-mail address to be able to login and spread the code by posting to the forum or the guestbook where the username is displayed.Payload-Examples:see above (XSS #1)=========Solution:=========Update to the latest version====================Disclosure Timeline:====================13-Dec-2014 – found XSS #113-Dec-2014 - informed the developers (XSS #1)14-Dec-2014 – found XSS #214-Dec-2014 – informed the developers (XSS #2)15-Dec-2014 - release date of this security advisory15-Dec-2014 - response and fix by vendor15-Dec-2014 - post on BugTraq========Credits:========Vulnerability found and advisory written by Steffen Rösemann.===========References:===========http://www.papoo.de/http://sroesemann.blogspot.deSource Quote
