Securin Zero-Days

As per the documentation of the Ocportal, a value in a template that is not meant to contain HTML is marked as an escaped value ({VALUE*}). This means that ‘HTML entities’ are put in replacement of HTML control characters.

Here the VALUE that is marked with * symbol will be filtered with the XSS filter, and it will be sanitized before displaying it to the user, but they forgot to mark FIELD_NAME in OCF_EMOTICON_CELL.tplfile.\ocportal\themes\default\templates\OCF_EMOTICON_CELL.tpl

The View_all link beside the emoticons in the following screen is having this FIELD_NAME variable.

The View_all link is sending the following GET request to the server

The following is the source code of emoticons.php file\ocportal\data\emotions.php

The following is the code related to emoticons_script function in misc_scritps.php file\ocportal\sources\misc_scripts.php
\ocportal\sources\misc_scripts.php

Code that is loading the template file with the user-entered input \ocportal\sources\misc_scripts.php

This code is reading the GET request parameter field_name and displaying it back to the user without filtering because of the variable is not marked with * symbol. Obviously, it will not go for any filtration.

GET request to emoticons.php with script vector as the value of field_name

And the inserted payload is reflecting back to the user, as shown in the following screen.