IceCMS is a lightweight content management system, popular with developers who want something minimal and easy to customize. However, in May 2023, a serious security flaw was disclosed: CVE-2023-33356, a Cross Site Scripting (XSS) vulnerability in version 1...
In this in-depth post, I’ll walk you through what this means, how the bug works, and even show some example code so you can test (safely!) on your own. Let’s dig in.
What is IceCMS v1..?
IceCMS is a PHP-based CMS with basic blogging and page capabilities. Since it’s lightweight, it gets used for simple projects and sometimes as a starter for bigger sites.
- GitHub: https://github.com/diegoisaac00/icecms
What is CVE-2023-33356?
CVE-2023-33356 is a Cross Site Scripting (XSS) vulnerability found in IceCMS v1... Basically, it means an attacker can inject malicious JavaScript into the site and have it executed in other users’ browsers.
The vulnerability exists because user input isn’t properly sanitized before being displayed.
- Official CVE: https://nvd.nist.gov/vuln/detail/CVE-2023-33356
- Disclosure: https://github.com/diegoisaac00/icecms/issues/1
How Does The XSS Vulnerability in IceCMS Work?
If you look at the source code, user-supplied data (like a post's title or page content) is displayed directly, with no escaping or filtering. That means you can slip in a script tag, and it will run in every browser that loads that page.
For example,
- An attacker creates a new article with a title like IceCMS <script>alert(1)</script>
Here’s a simplified version of the code from the vulnerable file
<!-- views/post.php line 10 -->
<h1><?php echo $_GET['title']; ?></h1>
<div>
<?php echo $_GET['body']; ?>
</div>
There’s no htmlspecialchars() or any other function to escape the output. This is a classic XSS pattern.
`html
alert('Boom! XSS here!')
When the post is displayed, your browser will pop up an alert box.
Screenshot Example:
(Since we can't share images here, imagine a typical alert box with the message "Boom! XSS here!")
Run any action the logged-in user can (like making admin changes)
On a public website, this can be used to compromise accounts, steal data, or spread malware.
In PHP, use the htmlspecialchars() function
<h1><?php echo htmlspecialchars($_GET['title']); ?></h1>
<div>
<?php echo htmlspecialchars($_GET['body']); ?>
</div>
This will change <script> to <script> so the browser will not run it.
You should also validate and/or strip dangerous HTML on the server side.
References & More Reading
- CVE-2023-33356 on NVD
- GitHub Issue: XSS in IceCMS
- OWASP: XSS Explained
Conclusion
CVE-2023-33356 is a basic but dangerous XSS vulnerability in IceCMS v1... Anyone using this version (or building on it) should patch immediately. Always remember to never trust user input, and always escape your output.
If you run IceCMS, upgrade or patch your code. And if you’re learning web coding, let this be a good lesson in secure development!
Timeline
Published on: 05/25/2023 14:15:00 UTC
Last modified on: 05/29/2023 03:37:00 UTC