Microweber 2.0.15 - Stored XSS

Exploit Author: tmrswrr Analysis Author: www.bubbleslearn.ir Category: WebApps Language: JavaScript Published Date: 2024-07-01 
# Exploit Title: Stored XSS in Microweber
# Date: 06/18/2024
# Exploit Author: tmrswrr
# Vendor Homepage: (https://microweber.me/)
# Version: 2.0.15
# Tested on: (http://active.demo.microweber.me/)

## Vulnerability Description
A Stored Cross-Site Scripting (XSS) vulnerability has been identified in Microweber version 2.0.15. This vulnerability allows an attacker to inject malicious scripts that get stored on the server and executed in the context of another user's session.

## Steps to Reproduce
1. Log in to the application.
2. Navigate to `Users > Edit Profile`.
3. In the `First Name` field, input the following payload:

    "><img src=x onerror=confirm(document.cookie)>

4. Save the changes.
5. Upon visiting any page where the modified user profile is displayed, an alert box will appear, indicating the execution of the injected script.


Microweber 2.0.15 — Stored XSS (Cross‑Site Scripting)

This article explains a Stored Cross‑Site Scripting (XSS) issue discovered in Microweber version 2.0.15, how stored XSS typically manifests in CMS products, the real risk to users and administrators, safe reproduction guidance at a high level, detection and hardening strategies, and developer fixes you can apply to mitigate and permanently remediate the problem.

Executive summary

ProductVersionIssue TypeSeverity
Microweber2.0.15Stored Cross‑Site Scripting (XSS)High

What is stored XSS?

Stored XSS occurs when an attacker-managed payload is saved on the server (for example, in a database field such as a profile name, comment, or post) and later delivered to other users without proper sanitization or escaping. When victims view a page containing the stored content, the browser executes the injected script in the context of the victim's origin — exposing cookies, session tokens, or allowing actions on behalf of the user.

How it typically appears in CMSs like Microweber

  • A user-supplied value (profile name, bio, comment, product description) contains HTML/script content.
  • The application stores that content without strict sanitization or removes it only partially.
  • The application inserts the stored content into rendered pages without proper output escaping, allowing execution in visitors' browsers.

High‑level reproduction (safe, non‑exploitative)

To validate whether a stored XSS exists without causing harm, use safe test inputs and techniques only on systems you own or are authorized to test. At a high level:

  • Authenticate with a test account (authorized testing only).
  • Place benign markup or non‑executing identifiers into a user-editable field (for example: a string that contains angled brackets but not active script code).
  • Save and view pages where that value is displayed. If the browser interprets the markup rather than showing it literally, this indicates output escaping is missing and an XSS condition may be present.

Impact and real‑world risks

  • Session hijacking: stolen cookies or tokens if cookies are not flagged HttpOnly or additional protections missing.
  • Account takeover: actions performed in the victim’s session (CSRF-like actions triggered by injected script).
  • Defacement, phishing and credential harvesting by presenting fake login dialogs.
  • Privilege escalation if administrative users view affected content.

Detection and verification

  • Automated scanners — OWASP ZAP, Burp Scanner, and Snyk can detect common XSS patterns. Use them in authenticated contexts to cover profile pages and admin panels.
  • Manual testing — insert safe test strings that reveal whether output is escaped (for example, strings with angle brackets escaped by the application vs. rendered as HTML).
  • Code review — inspect template rendering code and server output paths for unescaped user content.
  • Logging and WAF — monitor logs for suspicious payload-like inputs and tune WAF rules to detect stored payload patterns.

Secure coding fixes (developer guidance)

The root cause of stored XSS is either permitting unsafe markup to be saved or rendering saved content without proper escaping. Best practice is defense in depth: input validation, output encoding, sanitization for HTML where needed, and browser controls like CSP and cookie flags.

1) Escape on output (recommended)

<?php
// Example: safe output of a user-provided field in PHP
echo htmlspecialchars($user['first_name'], ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8');
?>

Explanation: htmlspecialchars converts special characters (like < > " ') into HTML entities, preventing the browser from interpreting them as HTML or script. Use UTF‑8 and ENT_QUOTES to encode single and double quotes. Apply escaping at every template point where user data is rendered.

2) Use a vetted HTML sanitizer if HTML should be allowed

// Using HTMLPurifier (example)
require_once '/path/to/HTMLPurifier.auto.php';
$config = HTMLPurifier_Config::createDefault();
$config->set('HTML.Allowed', 'a[href],b,strong,i,em,ul,ol,li'); // whitelist allowed tags/attributes
$purifier = new HTMLPurifier($config);
$safe_html = $purifier->purify($user_input);
echo $safe_html;

Explanation: If the application needs to accept HTML (for rich profiles or posts), use a library like HTMLPurifier and a strict whitelist of allowed tags/attributes. Purifiers remove dangerous constructs such as inline event handlers (onerror, onclick) and script tags.

3) Validate at input boundaries

// Example: simple server-side validation for short text fields
$firstName = trim($_POST['first_name'] ?? '');
if (mb_strlen($firstName) > 100) {
    throw new Exception('First name too long');
}
// Optionally restrict to allowed characters for this field
if (preg_match('/[<>]/', $firstName)) {
    // reject or sanitize
}

Explanation: Validate length and character set for fields that should only contain plain text. Reject or sanitize suspicious input before storage. Note: validation is complementary — you still need output encoding.

4) Template engine escaping

If Microweber uses a template engine, ensure the templates use automatic escaping. For example, in many templating systems the double-curly syntax escapes by default; prefer those functions rather than raw injection helpers. Developers must audit templates and replace raw output helpers with escaped ones.

5) HTTP and browser mitigations

  • Content-Security-Policy (CSP) — implement a restrictive CSP to reduce impact of XSS by preventing inline scripts and restricting script sources.
  • Set cookies with HttpOnly, Secure, and SameSite flags to reduce session theft and CSRF risk.
  • Enable X‑Content‑Type‑Options: nosniff and X-Frame-Options to harden browsers.
/* Example HTTP headers (server configuration or application) */Content-Security-Policy: default-src 'self'; script-src 'self'; object-src 'none';
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Set-Cookie: PHPSESSID=...; Secure; HttpOnly; SameSite=Strict

Explanation: These headers reduce attack surface. CSP is particularly powerful: even if an XSS vulnerability exists, a strict CSP can block execution of injected inline scripts or code from untrusted origins.

Recommended remediation steps for maintainers

  • Update Microweber to the vendor-published patched version if available. Check the vendor security advisories and release notes.
  • Audit all places where user-supplied strings are displayed (profiles, comments, pages, widgets) and ensure output escaping or sanitization is in place.
  • Introduce unit and integration tests to ensure that stored HTML markup is escaped or sanitized in each template.
  • Harden configuration: enable CSP, secure cookies, and security headers at application or web server level.
  • Consider adding a WAF rule to log and block clearly dangerous inputs while permanent fixes are implemented.
  • Notify users and administrators to update, and rotate credentials for high‑privilege accounts if they might have been exposed.

Detection and remediation checklist

  • Inventory all user-editable fields and classify whether HTML is required.
  • If HTML is not required: enforce strict input validation and always escape on output.
  • If HTML is required: accept only a small, documented whitelist and sanitize on input or output using a trusted library.
  • Review templates for unescaped output and replace with safe rendering helpers.
  • Deploy CSP and secure cookie flags; monitor for policy violations in reports.
  • Run authenticated security scans and manual review of admin-facing pages.

Responsible disclosure and next steps

If you are a site owner running Microweber 2.0.15, prioritize patching and apply the mitigations described above. Security researchers should follow responsible disclosure: report the issue to the vendor and give them time to patch before publishing technical details. Public advisories should include proof-of-concept only in sanitized form and always emphasize remediation.

Further reading and tools

  • OWASP XSS Prevention Cheat Sheet — secure escaping and sanitization recommendations.
  • HTMLPurifier — trusted PHP HTML sanitizer.
  • OWASP ZAP, Burp Suite — web application scanners useful for authenticated scans.