Advisory Archives • Page 2 of 4 • Edric Teo

[CVE-2017-17889] Kliqqi CMS – XSS Vulnerability in Version 3.5.2

Product Information:

Software: Kliqqi CMS

Tested Version: 3.5.2, released 11.01.2017

Vulnerability Type: Cross-Site Scripting (CWE-79)

Description: Kliqqi is a fork of Pligg CMS

Vulnerability description:

There are two Stored XSS and two DOM-based XSS.

To replicate Stored XSS(1):

Create a user with normal or moderator rights
Log into the user
Navigate to /pligg/groups.php and create a new group with group name “ onmouseover=confirm(0) “
Navigate back to /pligg/groups.php and hover cursor over the group’s avatar, the payload should trigger

To Replicate Stored XSS(2):

Log in to the user
Navigate to the user’s profile setting page (Top right drop down -> Profile -> Settings)
Update the Homepage to javascript:alert(0) and save
Upon saving, the updated value should show below the username
Clicking on the URL triggers the payload

To replicate DOM-based XSS:

Log in as normal user
Navigate to /pligg/submit.php
Enter "><svg/onload=alert()> in Tags and the payload should trigger.
Remove the payload from Tags and add it in Description, the payload should trigger again.

Impact:

An attacker is able to inject malicious scripts into otherwise benign and trusted web sites. The malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can also rewrite the contents of a HTML page. The exploitation process is also made easy with BeEF (The Browser Exploitation Framework).

Solution:

The developer of Kliqqi CMS has moved on to a new project – Plikli CMS.

Plikli CMS v4.0 includes fix for the mentioned vulnerability in this advisory.

Timeline:

Vulnerability found: 24.12.2017

Vendor informed: 24.12.2017

Response by vendor: 24.12.2017

Fix by vendor: 03.01.2018

Patched version released: 22.04.2018

Public Advisory: 22.04.2018

References:

https://www.plikli.com/download-plikli/

[CVE-2017-17902] Kliqqi CMS – SQL Injection Vulnerability in Version 3.5.2

Product Information:

Software: Kliqqi CMS

Tested Version: 3.5.2, released 11.01.2017

Vulnerability Type: Blind SQL Injection

Description: Kliqqi is a fork of Pligg CMS

Vulnerability description:

There is a Blind SQL Injection in Kliqqi CMS.

Steps to replicate:

Create a new story
Navigate to the new story (e.g. /pligg/story.php?title=sqli-poc2-story)
Toggle the burp suite to intercept, and return to the browser to submit a new comment.
Return back to burpsuite and append AND (SELECT * FROM (SELECT(SLEEP(5)))MBMY) to the randkey parameter
Forward the request and take note of the loading icon. The application should sleep for 5 seconds before the loading icon disappears and loads the Kliqqi logo.

Impact:

SQL injection attacks will habitually allow the intruder to view data contained in the database and modify its content. However, data confidentiality and integrity is not the only concern when considering this security issue. In fact, the hacker could gain much more privileges over the database. In some cases, he could even end up acting as a system administrator of the database server.

Source: http://www.sqlinjection.net/risks/

Solution:

The developer of Kliqqi CMS has moved on to a new project – Plikli CMS.

Plikli CMS v4.0 includes a fix for the mentioned vulnerability in this advisory.

Timeline:

Vulnerability found: 24.12.2017

The vendor informed: 24.12.2017

Response by vendor: 24.12.2017

Fix by vendor: 03.01.2018

The patched version released: 22.04.2018

Public Advisory: 22.04.2018

References:

https://www.plikli.com/download-plikli/

[CVE-2016-9891] Dotclear – XSS Vulnerability in Version 2.10.4

Product Information:

Software: Dotclear

Tested Version: 2.10.4, released 02.11.2016

Vulnerability Type: Cross-Site Scripting (CWE-79)

Description: The project’s purpose is to provide a user-friendly tool allowing anyone to publish on the web, regardless of their technical skills. (copied from https://dotclear.org/about#undefined)

Vulnerability description:

There is a XSS vulnerability in the /dotcl/admin/media_item.php page.

When an authenticated user of Dotclear renames the file title, the following POST request is sent to the server:

POST /dotcl/admin/media_item.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/dotcl/admin/media_item.php?id=4&plugin_id=&popup=0&select=0
Cookie: sidebar-pref=null; dcxd=0408528968495153b0822146207aaaa66d0118f0; s9y_9afefbce28571f388f27f61da1993391=u4l95320lc39fen9n2f8o04jm5
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 201
media_file=testimage.png&media_title=<script>alert(0)</script>.png&media_dt=2016-11-25 19:12&popup=0&select=0&post_id=&id=4&xd_check=8850df45055dfadff791dfbbbd25ed16a16aa3ae

The parameter media_title is vulnerable to XSS.

The payload is executed when an authenticated user navigates to the /dotcl/admin/media.php page.

When embedding an image or adding an attachment under Entries, the media.php page will be called and the payload will trigger as well.

Impact:

An attacker is able to inject malicious scripts into otherwise benign and trusted websites. The malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can also rewrite the contents of an HTML page. The exploitation process is also made easy with BeEF (The Browser Exploitation Framework).

Solution:

Update to the latest version, which is 2.11.1 (fixed since 2.11), see https://dotclear.org/blog/post/2016/12/28/Dotclear-2.11

Timeline:

Vulnerability found: 26.11.2016

The vendor informed: 05.12.2016

Response by vendor: 05.12.2016

Fix by vendor: 05.12.2016

The patched version released: 28.12.2016

Public Advisory: 29.12.2016

References:

https://dev.dotclear.org/2.0/changeset/5536ac77e915

https://hg.dotclear.org/dotclear/rev/712559193a6e