...
==========================
- Discovered By : 0x3a
- http://iran-cyber.net
- 0x3a.taha[at]gmail.com
- Credit To Iran Cyber Security Group
- Release Date : 10.8.2016
- Level : High
==========================
I.Vulnerability
---------------
Eleanor 1.0 <= Stored Cross Site Scripting
II.BackGround
-------------
Eleanor is CMS that you make your website with it.
eleanor-cms.ru
eleanor-cms.ir
a google search "intext:Powered+by+Eleanor+CMS" returned about 300.000 website hosted by ELEANOR.
III.DESCRIPTION
----------------
Eleanor have security problem. it can be exploited by xss attack.
This vulnerability occurs in /ELEANOR/modules/account/ajax/index.php.
With this vulnerability you can inject your malicious code in website.
These restrictions can be found in /ELEANOR/modules/account/ajax/index.php source file:
[Line 69] $descr=isset($_REQUEST['descr']) ? Strings::CutStr(trim($_REQUEST['descr']),497) : '';
They used $_REQUEST function without any filter that make XSS vulnerability.
With this vulnerability you can make cookie hijacking attack if admin see your profile.
IV.PROOF OF CONCEPT EXPLOIT
---------------------------
1. Register in site that hosted by Eleanor CMS.
2. You can add address in your profile.
3. in description you can send your malicious code .
POST Parameters :
event=add_bookmark&title=0x3a&descr=<marquee><font size=8 color=red face="arial black">0x3a [Iran-Cyber.Net]</font></marquee>&href=iran-cyber.net&imp=1&value=&bmodule=0&module=account
And you can run your payload in this parameter :
[ descr ]
Pic Test : goo.gl/CTr71D
V.SYSTEM AFFECTED
-----------------
All version of Eleanor CMS affected .
VI.SOLUTION
-----------
You can use filter function like as htmlspecialchars() , addslash() , htmlentities() to patch this
vulnerability
----
0x3a