CVE-2023-43876 - Exploiting XSS via the dbhost Field in OctoberCMS v3.4.16 Installation

Cross-Site Scripting (XSS) vulnerabilities are some of the most common and dangerous issues on the web. They allow an attacker to run their own malicious code in your browser, which can steal data, compromise accounts, or even take over entire websites. In this post, we'll look at a specific case: CVE-2023-43876, a stored XSS vulnerability found in the installation flow of OctoberCMS v3.4.16, where attackers can inject arbitrary JavaScript by tampering with the dbhost field.

What is OctoberCMS?

OctoberCMS is a popular open-source content management system built on Laravel. Like many CMS platforms, it has an installation wizard where users configure database settings. A flaw in this setup step is at the heart of this vulnerability.

Affected Product: OctoberCMS v3.4.16

- CVE: CVE-2023-43876

Where: Installation wizard, dbhost field

- Impact: Ability for attackers to inject JavaScript, leading to session hijacking, credential theft, or persistent site compromise.

The Flawed Code

During installation, OctoberCMS collects database connection details like hostname, username, password, and database name. The flaw lies in not properly sanitizing the value provided for dbhost. After entering these values, the installer displays a summary page where the provided data (including dbhost) is echoed back unsanitized into the HTML.

*This means if an attacker can control the installation process (for instance, on a new site, or via social engineering), they can inject payloads.*

Assume the attacker enters the following in the dbhost field

"><script>alert('xss')</script>

The summary page then renders

<input type="text" name="dbhost" value=""><script>alert('xss')</script>">

`

">

Minimal Exploit Snippet

Interested in automating this? Here’s a simple curl payload to simulate setting a malicious dbhost:

curl -X POST http://target/install.php \
  -d 'dbhost="><script>alert("Owned by CVE-2023-43876")</script>&dbuser=root&dbpass=pass&dbname=test'

When the installer loads the summary, the XSS will fire.

Attack Scenarios

- Compromising New Installs: If an attacker can access an installation, even briefly, they can leave a persistent XSS payload.
- Supply Chain Attacks: If a package is redistributed, or you’re using a webhoster’s 1-click install, such vectors may be abused.

Real-World Impact

Once the payload is stored, any admin who visits the summary page will trigger the code. Attackers can:

Mitigation

- Update OctoberCMS: Patch issued in OctoberCMS v3.4.17

Safe PHP Snippet

// Use htmlspecialchars to prevent injection
echo '<input type="text" name="dbhost" value="' . htmlspecialchars($dbhost, ENT_QUOTES, 'UTF-8') . '" />';

References

- NVD Record: CVE-2023-43876
- OctoberCMS Security Fix Pull Request
- Original Issue Discussions

Conclusion

CVE-2023-43876 is a great example of how XSS can lurk in unexpected places—even in installation forms! Remember: Always sanitize and escape user input, even at the earliest setup stages. If you use OctoberCMS, *upgrade now* and audit your other forms and plugins to prevent similar attacks.

Timeline

Published on: 09/28/2023 15:15:12 UTC
Last modified on: 09/29/2023 18:55:30 UTC