Stored XSS on ImpressCMS 1.4.0 #659
Comments
fiammybe
added
bug
security vulnerability
|
Hi, the medium reference is not working. Keep in mind that you have to be logged in and need to have access to the administration section before you have access to that page. Because of that, I consider it a low-risk vulnerability, but thank you for the ticket, I'll get on it straight away. |
|
https://medium.com/@tehwinsam/impresscms-1-4-0-3aaf1825e6d5
Totally agree on that you mentioned.
However, there a function/feature in 'AutoTask '. i don't know you consider
it as a feature or risk.
Because it allow Authenticated User to execute *ANY php command *which
allow BAD GUY interact 'MySQL'(assume db is localhost, with default
credential) or gain 'RCE' from the php code
…On Fri, 19 Jun 2020 at 14:52, David Janssens ***@***.***> wrote:
Hi, the medium reference is not working.
Keep in mind that you have to be logged in and need to have access to the
administration section before you have access to that page. Because of
that, I consider it a low-risk vulnerability, but thank you for the ticket,
I'll get on it straight away.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#659 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ANB34QYZFPIWGXB7HTXCVY3RXMDJFANCNFSM4OCHW5HA>
.
|
|
Yes,those are the administration functionalities that should only be handled by trusted admin users. As a matter of fact, it can be used to clean up database entries (for example to follow the retention period for certain data, you can run an autotask every day to remove old data). |
|
We have a presence on HackerOne : https://hackerone.com/impresscms . It is still in 'startup' phase because we haven't had enough vulnerability notifications passing through there in order to qualify for a full presence, but you can still use it if you want. You will need to create a HackerOne account though. |
|
I've created an account .
https://hackerone.com/tehwinsam is my profile
…On Fri, 19 Jun 2020 at 15:29, David Janssens ***@***.***> wrote:
We have a presence on HackerOne : https://hackerone.com/impresscms . It
is still in 'startup' phase because we haven't had enough vulnerability
notifications passing through there in order to qualify for a full
presence, but you can still use it if you want. You will need to create a
HackerOne account though.
I will verify if that is mentioned in the security documentation.
Follow-up there should be easier in the future.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#659 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ANB34Q4XZSRCBWOSLXLVYG3RXMHVPANCNFSM4OCHW5HA>
.
|
|
Could you enter this bug report also there? It would give me an opportunity to see if everything works as expected :-) |
|
Unfortunately, when i browse the URL https://hackerone.com/impresscms, it
pop out 'Page not Found' , but i have manually submitted a report to
support@hackerone.com and waiting for their response
…On Fri, 19 Jun 2020 at 17:02, David Janssens ***@***.***> wrote:
Could you enter this bug report also there? It would give me an
opportunity to see if everything works as expected :-)
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#659 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ANB34QYZGJKFMPEOKUQX5TDRXMSTPANCNFSM4OCHW5HA>
.
|
|
Thanks! It's unclear to me how this works, the 'private' repository thing of HackerOne :-( We'll see what they anwser |
|
Alright. |
|
amigo, below is the reply from HackerOne. Thank you for reaching out to HackerOne Support about submitting your report. We are not able to review or validate reports on behalf of the companies that use our platform or even our own program. If the company is listed in our directory (https://hackerone.com/directory) we recommend that you go to their page and submit the report through the method they have provided. If the program has a pink submit button they have a program on our platform. If they have a directory page but are not using our platform then they will be a community updated page. These community updated pages have the following message on them: '''HackerOne Directory [?] If the company does not have a directory page with us you may want to try reporting it to our Disclosure Assistance team. You can find more information about how Disclosure Assistance works in this article: https://docs.hackerone.com/programs/disclosure-assistance.html#___gatsby |
|
Hi, I tested this under the 1.4.1 beta, and the behaviour is now as expected : the system does not execute the javascript, but simply shows it in the box. I think we can close this and release 1.4.1 final then. |
Payload = <script>alert('AppleBois');</script>
Vulnerable URL :modules/system/admin.php?fct=adsense&op=mod&adsenseid=4
Vulnerable TextBar : ID of the [adsense tag to display this ad]
Vulnerable URL :/modules/system/admin.php?fct=customtag&op=mod
Vulnerable TextBar : Name
Reference
https://medium.com/@tehwinsam/impresscms-1-4-0-3aaf1825e6d5
The text was updated successfully, but these errors were encountered: