Issues » Stored XSS possible in admin tool as authenticated user

Issue: SI-16
Date: Jul 3, 2013, 3:45:00 AM
Severity: Low
Requires Admin Access: Yes
Fix Version: 3
Credit: Sergio Galán aka NaxoneZ
Description:

In a number of areas in the dotCMS Administrative tool, it is possible for an authenticated user to create stored XSS that executes in the admin user's browser.  


In the browser once logged into the admin screen you can use XSS. You of course are already logged in and a trusted user at this point. 

1.- XSS
- Path: Hosts > Add/Edit Host
- Field: HostName
- After create the host if you edit it you can see a msgbox in screen.

2.- XSS
-Path: Workflows>Schemes>Add Workflow Scheme
-Field: Name
- After create the workflow if you go to Workflows>Schemes you can see a msgbox in screen.

3- XSS
-Path: Workflows>Schemes>Add Workflow Scheme
-Field: Description
- After create the workflow if you go to Workflows>Schemes you can see a msgbox in screen or when you edit the workflow.

4.- XSS
-Path: Polls>Edit Question
-Field: Choices
- If you create a poll with a choice like "<script>alert(23);</script> when you see the poll an alert appears.

5.- XSS (not persistence)
-Path: Calendar
-Field: Search Field
-If you put a text like "<script>alert(23);</script> the ajax creates a msgbox.

6.-XSS
-Path:Calendar>Add event
-Field: Name
-if you put a text like "<script>alert(23);</script> you can see a msgbox when you enter in calendar o edit the task.

7.-XSS
-Path: Language Variables>Add New Language
-Field: Language/Country
-If you go to Language Variables page or you edit the language with the language or country like "<script>alert(23);</script> you can see a msgbox in the screen.

Mitigation:

dotCMS 5.2 and above ships with an XSS prevention filter that validates incoming requests to the admin panel.  If the incoming request does not include a valid Refer or Origin Header, then the request will be blocked by the filter.  In essence, this blocks an attacker's ability to remotely trigger an XSS vulnerability from a domain outside of the administrative panel.

Versions of dotCMS < 5.2 can install the CSRF osgi plugin that does the same work as the XSS prevention filter.

References

OSGI based CSRF filter for dotCMS < 5.2

https://github.com/dotCMS/com.dotcms.csrffilter

See also:

SI-5