Alkacon OpenCMS 15.0 - Multiple Cross-Site Scripting (XSS)
# Exploit Title: Alkacon OpenCMS 15.0 - Multiple Cross-Site Scripting (XSS)
# Date: 1/07/2023
# Exploit Author: tmrswrr
# Vendor Homepage: http://www.opencms.org
# Software Link: https://github.com/alkacon/opencms-core
# Version: v15.0
POC:
1 ) Login in demo page , go to this url
https://demo.opencms.org/workplace#!explorer/8b72b2fe-180f-11ee-b326-0242ac11002b!!/sites/livedemo!!/.galleries/livedemo/!!
2 ) Click /.galleries/ , after right click any png file , open gallery, write in search button this payload
<img src=. onerror=alert(document.domain)>
3 ) You will be see alert box
POC:
1 ) Go to this url , right click any png file, rename title section and write your payload : <img src=. onerror=alert(document.domain)>
https://demo.opencms.org/workplace#!explorer/8b72b2fe-180f-11ee-b326-0242ac11002b!!/sites/livedemo!!/230701/ld_go87op3bfy/.galleries/images/!!
2 ) You will be see alert box , stored xss
POC:
1 ) Go to this url , right click any png file and choose replace , click change file and choose your svg file
after save it
svg file:
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert("XSS");
</script>
</svg>
2 ) When click this svg file you will be see alert buttonAlkacon OpenCMS 15.0: Multiple Cross-Site Scripting (XSS) Vulnerabilities – A Deep Dive
Alkacon OpenCMS, a widely used open-source content management system (CMS), has long been praised for its flexibility, scalability, and robust feature set. However, recent security assessments have uncovered critical vulnerabilities in version 15.0, specifically multiple cross-site scripting (XSS) flaws that expose users to significant risks. These vulnerabilities, identified by security researcher tmrswrr, demonstrate how seemingly innocuous user interactions—such as file uploads, renaming, or gallery navigation—can lead to malicious code execution.
Understanding the XSS Threat in OpenCMS 15.0
Cross-site scripting (XSS) is one of the most prevalent web application vulnerabilities. It occurs when an attacker injects malicious scripts into a web page that is then executed in the browser of unsuspecting users. In OpenCMS 15.0, these XSS flaws are particularly dangerous because they are both reflected and stored, meaning the payload can be delivered in real-time or persistently stored within the system.
The core issue lies in insufficient input validation and output encoding. User-supplied data—such as file titles, search queries, or file metadata—is not properly sanitized before being rendered in the UI. This allows attackers to inject script code that executes when the page is viewed, bypassing browser security mechanisms.
Exploitation Scenarios and Proof of Concept (PoC)
Three distinct PoCs were demonstrated against the official OpenCMS demo instance, highlighting the severity of the vulnerabilities.
1. Reflected XSS via Search Query
Attackers can trigger a reflected XSS by manipulating the search functionality within the gallery interface.
<img src=. onerror=alert(document.domain)
Explanation: This payload exploits the onerror attribute of the <img> tag. Since the src attribute is invalid (a dot), the browser triggers the onerror event, executing the JavaScript code alert(document.domain). The alert box displays the current domain, confirming that the script was executed.
Attack vector: The user navigates to the demo gallery, right-clicks a PNG file, opens the gallery view, and enters the payload in the search field. The system renders the input without sanitization, leading to script execution.
2. Stored XSS via File Title Renaming
When users rename a file, the system stores the new title in the database. If the title contains malicious code, it is rendered in the UI whenever the file is viewed.
<img src=. onerror=alert(document.domain)
Explanation: This payload is stored directly in the file metadata. When the file is accessed through the UI, the browser interprets the HTML content as valid, triggering the onerror event and executing the alert script.
Impact: This is a classic stored XSS scenario. Once injected, the malicious code persists until removed or patched. Any user viewing the file—regardless of their role—can be compromised.
3. SVG-Based XSS via File Replacement
OpenCMS allows users to replace files, including SVG (Scalable Vector Graphics) files. SVG files are XML-based and support embedded JavaScript, making them ideal for XSS attacks.
alert("XSS");
Explanation: This SVG file contains a <script> tag with JavaScript code. When the file is loaded in a browser that supports SVG rendering, the script executes immediately. The alert("XSS") function triggers a pop-up, confirming the XSS exploit.
Why it works: SVG files are not typically treated as executable by default, but modern browsers (especially those with SVG support enabled) interpret embedded scripts. OpenCMS 15.0 does not validate or sanitize SVG content before storing or rendering it, allowing malicious code to bypass filters.
Technical Analysis and Root Causes
These vulnerabilities stem from three fundamental issues:
- Missing Input Sanitization: User inputs (e.g., file names, search terms) are not validated against malicious patterns.
- Improper Output Encoding: Data rendered in the UI is not escaped, allowing HTML/JavaScript injection.
- Unrestricted File Upload Handling: SVG files are treated as static assets without content inspection, enabling script embedding.
Security Best Practice: The OpenCMS 15.0 implementation fails to follow the principle of input validation and output encoding, which is essential for preventing XSS attacks.
Real-World Implications
These XSS vulnerabilities can lead to:
- Session Hijacking: Malicious scripts can steal cookies or session tokens.
- Phishing Attacks: Injected scripts can redirect users to fake login pages.
- Defacement: Attackers can alter the appearance of the website.
- Malware Distribution: Scripts can download and execute malicious payloads.
For organizations using OpenCMS 15.0, especially those managing sensitive content or public-facing websites, these flaws pose a serious threat to data integrity and user trust.
Recommended Mitigations and Fixes
Security experts recommend the following remediations:
| Issue | Fix |
|---|---|
| Reflected XSS in Search | Implement strict input validation using regex patterns to block script tags, onerror, or <script>. |
| Stored XSS in File Titles | Apply HTML entity encoding (e.g., < → <) before storing or rendering user input. |
| SVG XSS via File Upload | Validate SVG content using a parser that strips embedded scripts. Reject files containing <script> or javascript: URLs. |
Additional Recommendations:
- Enable Content Security Policy (CSP) headers to restrict script execution.
- Use sandboxed environments for file previews.
- Regularly audit user-generated content for malicious patterns.
Conclusion
Alkacon OpenCMS 15.0’s multiple XSS vulnerabilities highlight the importance of secure coding practices in open-source software. While the platform offers powerful features, its lack of robust input sanitization and output encoding makes it susceptible to exploitation. Organizations relying on this version must prioritize patching, implement strict content validation, and enforce security policies to protect users and data integrity.
Security is not optional—it is foundational. Developers and administrators must treat every user input as potentially hostile until proven otherwise.