Feng Office – Persistent Cross-Site Scripting

• Exploit Database
• 9 阅读

• 作者： Juan Sacco
  日期： 2014-08-06
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/34277/

• # Affected software: Feng Office - URL: http://www.fengoffice.com/web/demo.php
  # Discovered by: Provensec
  # Website: http://www.provensec.com
  # Type of vulnerability: XSS Stored
  #
  # Feng Office is a Collaboration tool that includes a CRM, Communication,
  Document Management, Tasks, E-mails, Documents, Internal messages, Time
  tracking,
  Billing, Calendar, Gantt Charts, Reminders, and more.
  #
  # Description: Feng Office is prone to a Persistent Cross Site Scripting
  attack that allows a malicious user to inject HTML or scripts that can
  access any cookies, session tokens, or other
  sensitive information retained by your browser and used with that site.
  # Proof of concept:
  # 1. Create or Edit a client
  # 2. Complete the field Name ( customer[name] ) using this value:
  "><script>alert('XSS by Provensec')</script>
  # 3. Save changes.
  # 4. Share your client in the Activity feed to infect others.