扫码分享
验证:
体验盒子#####################################################################################
#Title: WB News (Webmobo) 2.3.3 Stored XSS#
#Vendor:http://www.webmobo.org/ #
#####################################################################################
#AUTHOR:ITSecTeam #
#Email: Bug@ITSecTeam.com #
#Website: http://www.itsecteam.com#
#Forum :http://forum.ITSecTeam.com#
#Original Advisory: www.ITSecTeam.com/en/vulnerabilities/vulnerability44.htm#
#Thanks:r3dm0v3 [r3dm0v3_at_ymail.com], Pejvak, am!rkh@n#
#####################################################################################
#DESCRIPTION (by vendor):############################################################
WB News is a PHP news management system which requires MySQL/PostgreSQL database.
The system is meant for quick and easy build to integrate news into an existing
site or used as a framework with many systems such as Authentication, Template Engine,
Database Abstration and more.
#BUG:################################################################################
file /base/Comments.php:
85: foreach ( $comments as $comment )
86: {
87: $rows[] = array(
88: "message" => nl2br( textWrap( htmlspecialchars( filter( $comment["message"] ) ) ) ),
89: "name" => NULL != $comment["postname"] ? $comment["postname"] : $comment["name"], //<---vulnerable line
90: "date" => tz_date( Configuration::getInstance()->getOption("dateFormat"), $comment["timeposted"] )
91: );
92: }
file /templates/default/list-comments.ihtml:
17: <td><strong><?php echo __("Posted By") ?>:</strong> <?php echo $r["name"] ?> On: <?php echo $r["date"] ?></td>
Comment sender's name is not filtered and is sent to browser!
#EXPLOIT:############################################################################
goto comments and post any script as comment sender's name!
体验盒子
