XODA Document Management System 0.4.5 XSS / Shell Upload

2012.08.23
Credit: Shai rod
Risk: High
Local: No
Remote: Yes
CVE: N/A

# Exploit Title: XODA Document Management System Stored XSS & Arbitrary File Upload Vulnerability. # Date: 21/08/2012 # Exploit Author: Shai rod (@NightRang3r) # Vendor Homepage: http://xoda.org/ # Software Link: http://sourceforge.net/projects/xoda/files/xoda/xoda-0.4.5/ # Version: 0.4.5 #Gr33Tz: @aviadgolan , @benhayak, @nirgoldshlager, @roni_bachar About the Application: ====================== XODA targets the end-user allowing organizing of documents in a professional manner. Vulnerability Description ========================= 1. Arbitrary File Upload: It is possible to access the file upload page "?upload_to=" without the need to authenticate (log in) to the XODA system. An attacker is able to upload a web shell to the server and gain unauzhorized access to the operating system. Vulnerable URL: http://server/xodadir/?upload_to= Default location of uploaded files: http://server/xodadir/files/ 2. Stored XSS in file description. Steps to reproduce the XSS: 2.1 Select a document. 2.2 Click on description. 2.3 Enter XSS Payload: <img src='1.jpg'onerror=javascript:alert(document.cookie)> 2.4 Reload the page XSS Should be triggered. 3. Stored XSS in filters. Steps to reproduce the XSS: 3.1 Select the document. 3.2 Click on filters. 3.3 In the "Filters (one per line):" field insert XSS paload: <img src='1.jpg'onerror=javascript:alert(document.cookie)> 3.4 Click "Set filters". 3.5 Click on the document icon to open its properties. 3.6 XSS Should be triggered.

References:

http://sourceforge.net/projects/xoda/files/xoda/xoda-0.4.5/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top