Date: 2016-01-28 09:52:50
Security Advisory – Curesec Research Team

1. Introduction

Affected Product: DYNPG 4.6
Fixed in: 4.7
Fixed Version Link: https://www.dynpg.org/index_en.php
Vendor Website: https://www.dynpg.org/
Vulnerability Type: XSS
Remote Exploitable: Yes
Reported to vendor: 11/17/2015
Disclosed to public: 01/28/2016
Release mode: Coordinated Release
CVE: n/a
Credits Tim Coen of curesec GmbH

2. Overview

DYNPG is a content management system written in PHP. In version 4.6, it is vulnerable to multiple XSS vulnerabilities.

The vulnerability can lead to the stealing of cookies, or the injection of JavaScript keyloggers. In this case, successful exploitation may lead to code execution if the victim is an admin by allowing the upload of PHP files in the admin area.

3. Details

Multiple Reflected XSS

CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N

Description: There are various locations that do not properly encode user input when echoing it, leading to reflected XSS.

Proof of Concept:

http://localhost/DYNPG_46_2014-07-21/_file_edit.php?picID=1&function="><script>alert(1)</script> http://localhost/DYNPG_46_2014-07-21/_tinymce.popup.php?targetArea='</script><script>alert(1)</script> http://localhost/DYNPG_46_2014-07-21/searchbox.inc.php?show="><script>alert('xss')</script>

Persistent XSS

CVSS: Medium 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N

Description: When showing the list of images, the file name is not sanitized, leading to persistent XSS. A user account is needed that has the right to upload files.

Proof of Concept:

1. Upload file with name: "'\"><img src=no onerror=alert(1)>.png Note that the checkbox "Keep original name of file" must be checked 2. Visit list of images

Self XSS

CVSS: Low 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N

Description: When inserting an image into the text editor, there is a self-xss vulnerability. It may be possible to exploit this issue in combination with ClickJacking.

Proof of Concept:

1. Visit the text editor: http://localhost/DYNPG_46_2014-07-21/index.php?show=4 2. Click on Insert Image 3. As Image URL, enter: " onerror=alert(1) foo="

4. Solution

To mitigate this issue please upgrade at least to version 4.7:


Please note that a newer version might already be available.

5. Report Timeline

11/17/2015 Informed Vendor about Issue
11/22/2015 Vendor requests more time
01/19/2016 Vendor releases fix
01/28/2016 Disclosed to public