CMS Papoo 6.0.0 Rev. 4701 – Persistent Cross-Site Scripting

• Exploit Database
• 109 阅读

• 作者： Steffen Rösemann
  日期： 2014-12-16
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/35551/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69

  Advisory: Persistent XSS Vulnerability in CMS Papoo Light v6 Advisory ID: SROEADV-2014-01 Author: Steffen Rösemann Affected Software: CMS Papoo Version 6.0.0 Rev. 4701 Vendor URL: http://www.papoo.de/ Vendor Status: fixed CVE-ID: -   ========================== Vulnerability Description: ==========================   The CMS Papoo Light Version has a persistent XSS vulnerability in its guestbook functionality and in its user-registration functionality.   ================== Technical Details: ==================   XSS-Vulnerability #1:   Papoo Light CMS v6 provides the functionality to post comments on a guestbook via the following url: http://{target-url}/guestbook.php?menuid=6.   The input fields with the id „author“ is vulnerable to XSS which gets stored in the database and makes that vulnerability persistent.   Payload-Examples:   <img src=&apos;https://www.exploit-db.com/exploits/35551/n&apos; onerror=“javascript:alert(&apos;XSS&apos;)“ > <iframe src=“some_remote_source“></iframe>   XSS-Vulnerability #2:   People can register themselves on Papoo Light v6 CMS at http://{target-url}/account.php?menuid=2. Instead of using a proper username, an attacker can inject HTML and/or JavaScriptcode on the username input-field.   Code gets written to the database backend then. Attacker only has to confirm his/her e-mail address to be able to login and spread the code by posting to the forum or the guestbook where the username is displayed.   Payload-Examples:   see above (XSS #1)   ========= Solution: =========   Update to the latest version   ==================== Disclosure Timeline: ==================== 13-Dec-2014 – found XSS #1 13-Dec-2014 - informed the developers (XSS #1) 14-Dec-2014 – found XSS #2 14-Dec-2014 – informed the developers (XSS #2) 15-Dec-2014 - release date of this security advisory 15-Dec-2014 - response and fix by vendor 15-Dec-2014 - post on BugTraq   ======== Credits: ========   Vulnerability found and advisory written by Steffen Rösemann.   =========== References: ===========   http://www.papoo.de/ http://sroesemann.blogspot.de