XSS Vulnerability in KajonaCMS

Information

Advisory by Netsparker (now Invicti)
Name: XSS Vulnerability in KajonaCMS
Software: KajonaCMS v4 and possibly below.
Vendor Homepage: http://www.kajona.de/
Vulnerability Type: Cross-site Scripting
Severity: Critical
Researcher: Omar Kurt
Advisory Reference: NS-14-023

Description

Kajona is a content management framework based on PHP5 and published as an open-source project under the LGPL license. The roots of the project are going back to 2004 as collected programming solutions where combined into a library. The idea of a web content management framework was born – followed by version 2.0 in 2005 and 2.1 in the beginning of 2006. Version 3.0 was published with a complete code rewrite in 2006.

Details

KajonaCMS is affected by XSS vulnerability in version v4.
KajonaCMS PoC urls are as follows:

  • Cross-site Scripting
    http://example.com/index.php?page=downloads&systemid=';"--></style></scRipt><scRipt>alert(0x0001EE)</scRipt>&action=mediaFolder (Querystring)

You can read the full article about Cross-site Scripting vulnerabilities from here:

Solution

https://github.com/kajona/kajonacms/commit/8f1b18150cc2a8f27c96d9c4f94a81022fbb61e3
https://github.com/kajona/kajonacms/commit/4a07f949c171da6aa9a6e6c19421b0df16297180

Advisory Timeline

05/06/2014 – First Contact
07/06/2014 – Second Contact
08/06/2014 – Vulnerability fixed
23/06/2014 – Advisory released

Credits

It has been discovered on testing of Invicti Web Application Security Scanner.

About Invicti

Invicti® can find and report security issues such as SQL Injection and Cross-site Scripting (XSS) in all web applications regardless of the platform and the technology they are built on. Invicti’s unique detection and exploitation techniques allows it to be dead accurate in reporting hence it’s the first and the only False Positive Free web application security scanner.