Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OcPortal CMS 9.0.20 POC #11

Open
cybersecurityworks opened this issue Nov 13, 2015 · 1 comment
Open

OcPortal CMS 9.0.20 POC #11

cybersecurityworks opened this issue Nov 13, 2015 · 1 comment

Comments

@cybersecurityworks
Copy link
Owner

As per the documentation of the Ocportal, a value in a template that is not meant to contain HTML is marked as an escaped value ({VALUE*}). This meant that ‘html entities’ are put in replacement of HTML control characters.

1
2
Here the VALUE that is marked with * symbol will be filtered with the XSS filter and it will be sanitized before displaying it to the user. But they forgot to mark FIELD_NAME in OCF_EMOTICON_CELL.tpl file.
\ocportal\themes\default\templates\OCF_EMOTICON_CELL.tpl
3
The View_all link besides the emoticons in the following screen is having this FIELD_NAME variable
4

The View_all link is sending the following GET request to the server
5
The following is the source code of emoticons.php file
\ocportal\data\emotions.php
6
The following is the code related to emoticons_script function in misc_scritps.php file
\ocportal\sources\misc_scripts.php
7
Code that is loading the template file with the user entered input
\ocportal\sources\misc_scripts.php
8
This code is reading the GET request parameter field_name and displaying it back to the user without filtering because of the variable is not marked with * symbol. Obviously it won’t go for any filtration.
GET request to emoticons.php with script vector as value of field_name

9
And the inserted payload is reflecting back to the user as shown in the following screen.
10

@fgeek
Copy link

fgeek commented Dec 19, 2015

For tracking purposes CVE request is: http://www.openwall.com/lists/oss-security/2015/12/19/2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants