... ========================== - Discovered By : 0x3a - http://iran-cyber.net - 0x3a.taha[at]gmail.com - Credit To Iran Cyber Security Group - Release Date : 10.8.2016 - Level : High ========================== I.Vulnerability --------------- Eleanor 1.0 <= Stored Cross Site Scripting II.BackGround ------------- Eleanor is CMS that you make your website with it. eleanor-cms.ru eleanor-cms.ir a google search "intext:Powered+by+Eleanor+CMS" returned about 300.000 website hosted by ELEANOR. III.DESCRIPTION ---------------- Eleanor have security problem. it can be exploited by xss attack. This vulnerability occurs in /ELEANOR/modules/account/ajax/index.php. With this vulnerability you can inject your malicious code in website. These restrictions can be found in /ELEANOR/modules/account/ajax/index.php source file: [Line 69] $descr=isset($_REQUEST['descr']) ? Strings::CutStr(trim($_REQUEST['descr']),497) : ''; They used $_REQUEST function without any filter that make XSS vulnerability. With this vulnerability you can make cookie hijacking attack if admin see your profile. IV.PROOF OF CONCEPT EXPLOIT --------------------------- 1. Register in site that hosted by Eleanor CMS. 2. You can add address in your profile. 3. in description you can send your malicious code . POST Parameters : event=add_bookmark&title=0x3a&descr=<marquee><font size=8 color=red face="arial black">0x3a [Iran-Cyber.Net]</font></marquee>&href=iran-cyber.net&imp=1&value=&bmodule=0&module=account And you can run your payload in this parameter : [ descr ] Pic Test : goo.gl/CTr71D V.SYSTEM AFFECTED ----------------- All version of Eleanor CMS affected . VI.SOLUTION ----------- You can use filter function like as htmlspecialchars() , addslash() , htmlentities() to patch this vulnerability ---- 0x3a