[<prev] [next>] [day] [month] [year] [list]
Message-ID: <BANLkTikNYBhKS7VMb1G6i+FcAKMvJjhpSQ@mail.gmail.com>
Date: Fri, 17 Jun 2011 06:59:49 +0400
From: "iPower N/A" <vb.win32@...il.com>
To: bugtraq@...urityfocus.com
Subject: EQDKP plus Cross Site Scripting and Bypass file extension
Hello!
I have found a vulnerability in the EQDKP Plus.
More precisely in the plugin mediacenter.
Because of incorrectly checks the file extension
it is possible to upload the "htm" file and execute
XSS attack.
But with some restrictions. The plugin checks the contents for tags:
[code=plugins/mediacenter/include/mediacenter.class.php:421]
function check_content($fieldname){
$disallowed = "body|head|html|img|plaintext|a href|pre|script|table|title|php";
$disallowed_content = explode('|', $disallowed);
if (empty($disallowed_content))
{
return false;
}
[/code]
To get around this, you can use the Next design:
[code]
<iframe src="http://yandex.ru" style="display: none" onload="alert('XSS')">
</iframe>
[/code]
After downloading the file to the server, you can find the file on request:
http://site.com/dkp/plugins/mediacenter/index.php?mode=ajax&id = [ID].
[ID] - simple exhaustive search.
Example:
http://www.eqdkp-plus.com/demo06/data/d2c0752ce264405a0555a3825c2494f2/mediacenter/thumbs_b/ee5bb2c59c237307d61bcb0bae1e08f2.htm
Vulnerable versions: <=0.6.4.5
P.S.
Sorry for my bad english. :)
Best Regards,
iPower.
Powered by blists - more mailing lists