How I got my first CVE - CVE-2017-15872
Hello All,
INTRODUCTION
The purpose of this post is to let you know how I managed to get my first CVE and more importantly how you as a reader can adopt a similar strategy to earn a CVE against your name. Throughout this post, I will give you relevant examples/screenshots that demonstrates how I ended up finding the vulnerability and tips that are extremely handy.
Alright, lets plunge into the Proof-Of-Concept !
PATH OF EXPLORATION
I was searching for an open source CMS based application which can help me in testing for some bugs for learning purpose. I stumbled upon phpwcms application which I found interesting and immediately downloaded the same. After configuring the application I started to create dummy pages for testing. A few minutes later I came across a page where the administrator has the privilege to create users in phpwcms. I found out that the username field does not properly filter / sanitize the user input which thus, resulted into a STORED CROSS SITE SCRIPTING vulnerability.
THE MOST AWAITED DEEP DIVE POC
1) While browsing the application to understand about the workflow I came across the module of user administration. I thought of creating a user by inserting the XSS payload into the username since it was reflecting on the page under couple of sections like phpwcms user list and users online. I added the payload and created a new user as you can see into the below snapshot.
2) After creating the user I didn't got XSS alert popup while viewing the user list. I viewed the page source code to understand how was my input rendered in background. I came to know that the application has taken some precaution to mitigate XSS attacks which was encoding my payload. I thought of using another payload with some encoding techniques to get the XSS alert popup.
3) I clicked on edit button and Boommmm !!!!!! XSS POP UP !!!!!! 😍👇
4) Below snapshot shows the view source of the affected page.
REFERENCE LINKS
https://github.com/slackero/phpwcms/commit/62c7c4a7a7de5effa0a82c89e77e53795a82e11d
https://github.com/slackero/phpwcms/commit/90ee94a474b37919161f8112f9e36c53ad70492f
https://nvd.nist.gov/vuln/detail/CVE-2017-15872
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15872
LESSONS LEARNT
Never come to the conclusion immediately. Test all the possibilities and then conclude. Always think that the developer will definitely miss to validated some parameters on some page.
DISCLOSURE DATELINES
23 October 2017 at 00:02 - Report send.
23 October 2017 at 12:01 - Bug acknowledged and fixed.
23 October 2017 at 22:53 - Request for the CVE ID to CVE Mitre
25 October 2017 at 01:08 - CVE ID Received (CVE-2017-15872)
Thanks for reading the post.
Special Thanks to all my friends who help / supported / motivated me for writing blogs. 🙏
INTRODUCTION
The purpose of this post is to let you know how I managed to get my first CVE and more importantly how you as a reader can adopt a similar strategy to earn a CVE against your name. Throughout this post, I will give you relevant examples/screenshots that demonstrates how I ended up finding the vulnerability and tips that are extremely handy.
Alright, lets plunge into the Proof-Of-Concept !
PATH OF EXPLORATION
I was searching for an open source CMS based application which can help me in testing for some bugs for learning purpose. I stumbled upon phpwcms application which I found interesting and immediately downloaded the same. After configuring the application I started to create dummy pages for testing. A few minutes later I came across a page where the administrator has the privilege to create users in phpwcms. I found out that the username field does not properly filter / sanitize the user input which thus, resulted into a STORED CROSS SITE SCRIPTING vulnerability.
THE MOST AWAITED DEEP DIVE POC
1) While browsing the application to understand about the workflow I came across the module of user administration. I thought of creating a user by inserting the XSS payload into the username since it was reflecting on the page under couple of sections like phpwcms user list and users online. I added the payload and created a new user as you can see into the below snapshot.
https://github.com/slackero/phpwcms/commit/62c7c4a7a7de5effa0a82c89e77e53795a82e11d
https://github.com/slackero/phpwcms/commit/90ee94a474b37919161f8112f9e36c53ad70492f
https://nvd.nist.gov/vuln/detail/CVE-2017-15872
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15872
LESSONS LEARNT
Never come to the conclusion immediately. Test all the possibilities and then conclude. Always think that the developer will definitely miss to validated some parameters on some page.
DISCLOSURE DATELINES
23 October 2017 at 00:02 - Report send.
23 October 2017 at 12:01 - Bug acknowledged and fixed.
23 October 2017 at 22:53 - Request for the CVE ID to CVE Mitre
25 October 2017 at 01:08 - CVE ID Received (CVE-2017-15872)
Thanks for reading the post.
Special Thanks to all my friends who help / supported / motivated me for writing blogs. 🙏
Comments
Post a Comment