Issues » Stored XSS possible in admin tool as authenticated user

Issue: SI-16
Date: Jul 3, 2013, 3:45:00 AM
Severity: Low
Requires Admin Access: Yes
Fix Version: 3
Credit: Sergio Galán aka NaxoneZ
Description:

In a number of areas in the dotCMS Administrative tool, it is possible for an authenticated user to create stored XSS that executes in the admin user's browser.  


In the browser once logged into the admin screen you can use XSS. You of course are already logged in and a trusted user at this point. 

1.- XSS
- Path: Site > Add/Edit Host
- Field: HostName
- After create the host if you edit it you can see a msgbox in screen.

2.- XSS
-Path: Workflows>Schemes>Add Workflow Scheme
-Field: Name
- After create the workflow if you go to Workflows>Schemes you can see a msgbox in screen.

3- XSS
-Path: Workflows>Schemes>Add Workflow Scheme
-Field: Description
- After create the workflow if you go to Workflows>Schemes you can see a msgbox in screen or when you edit the workflow.

4.- XSS (not persistence)
-Path: Calendar
-Field: Search Field
-If you put a text like "<script>alert(23);</script> the ajax creates a msgbox.

5.-XSS
-Path:Calendar>Add event
-Field: Name
-if you put a text like "<script>alert(23);</script> you can see a msgbox when you enter in calendar o edit the task.

6.-XSS
-Path: Language Variables>Add New Language
-Field: Language/Country
-If you go to Language Variables page or you edit the language with the language or country like "<script>alert(23);</script> you can see a msgbox in the screen.

7. -XSS
- Content Search Screen - upload a file named  "<script>alert(23);</script>"

8. -XSS
- There are other Stored XSS vulnerabilities in screens that allow authenticated dotCMS users to enter content and text that is not sanitized for possible XSS.

Mitigation:

dotCMS 5.2 and above ships with an XSS prevention filter that validates incoming requests to the admin panel.  If the incoming request does not include a valid Refer or Origin Header, then the request will be blocked by the filter.  In essence, this blocks an attacker's ability to remotely trigger an XSS vulnerability from a domain outside of the administrative panel.

Versions of dotCMS < 5.2 can install the CSRF osgi plugin that does the same work as the XSS prevention filter.

References

OSGI based CSRF filter for dotCMS < 5.2

https://github.com/dotCMS/com.dotcms.csrffilter

See also:

SI-5

Highly Rated and Recommended

We're rated Excellent 4.2/5 stars on G2 - with 95+ verified reviews