Lucene search
+L

PHP-Fusion 9.03.50 - Cross Site Scripting

🗓️ 24 May 2020 15:24:42Reported by 0daydb.comType 
0daydb
 0daydb
🔗 0daydb.com👁 270 Views

PHP-Fusion 9.03.50 Persistent Cross-Site Scripting via Print Functio

Related
Code
ReporterTitlePublishedViews
Family
0daydb
OpenEDX Ironwood 2.5 CVE-2020-13144 - Remote Code Execution
24 May 202015:29
0daydb
0daydb
WebLogic Server CVE-2020-2555 - Remote Code Execution
24 May 202015:30
0daydb
0day.today
OpenEDX platform Ironwood 2.5 - Remote Code Execution Vulnerability
21 May 202000:00
zdt
CNVD
Open edX Input Validation Error Vulnerability
19 May 202000:00
cnvd
CVE
CVE-2020-13144
18 May 202018:23
cve
Cvelist
CVE-2020-13144
18 May 202018:23
cvelist
Exploit DB
OpenEDX platform Ironwood 2.5 - Remote Code Execution
21 May 202000:00
exploitdb
EUVD
EUVD-2020-5420
7 Oct 202500:30
euvd
NVD
CVE-2020-13144
18 May 202019:15
nvd
OSV
CVE-2020-13144
18 May 202019:15
osv
Rows per page
# Exploit Title: PHPFusion 9.03.50 - Persistent Cross-Site Scripting
# Date: 2020-05-20
# Exploit Author: coiffeur
# Vendor Homepage: https://www.php-fusion.co.uk/home.php
# Software Link: https://www.php-fusion.co.uk/php_fusion_9_downloads.php
# Version: v9.03.50

## How?

When creating a thread or editing one of his messages with HTML content, it turns out that the injected characters are correctly escaped as it can be seen when I tried here to fuzz the message field with the string `i<3"'ivoire`.

https://therealcoiffeur.github.io/captures/c5_1.png

https://therealcoiffeur.github.io/captures/c5_2.png

https://therealcoiffeur.github.io/captures/c5_3.png

It's when I became interested in the print feature that things turned out to be interesting. Indeed, the print function allows you to simplify the page as much as possible so that it contains only text. So the print function returns all messages in text format so that the content of a thread can be easily printed (in order to generate this result it is necessary to click on the button circled in blue in figure 3). 

![alt text](../captures/c5_4.png "Figure 5: Injection of HTML character (part 3)")

![alt text](../captures/c5_5.png "Figure 6: Injection of HTML character (part 3)")

Once the page is generated by the print functionality we realize by analyzing the body of the server response, that our characters are no longer sanitized.

Now we just have to create a message that will allow us to execute JavaScript by replacing the contents of the previous message with:

```html
<img onerror="alert(1)" src=xxx>
```

https://therealcoiffeur.github.io/captures/c5_4.png

https://therealcoiffeur.github.io/captures/c5_5.png

## Why?

The route requested to generate this result is the route <span style="color:red">\<ROOT\>/print.php?type=F&item_id=1&rowstart=0</span>. It is thus page <span style="color:red">\<ROOT\>/print.php</span> which is called, with the following parameters:

```
$_GET array (size=3)
    'type' => string 'F' (length=1)
    'item_id' => string '1' (length=1)
    'rowstart' => string '0' (length=1)
```

File: <span style="color:red">\<ROOT\>/print.php</span>
```php

...

case "F":
    ...

    echo parse_textarea($data['post_message']);

    ...

```


File: <span style="color:red">\<ROOT\>/includes/core_functions_include.php</span>
```php
function parse_textarea($text, $smileys = TRUE, $bbcode = TRUE, $decode = TRUE, $default_image_folder = IMAGES, $add_line_breaks = FALSE, $descript = TRUE) {
    $text = $decode == TRUE ? html_entity_decode(stripslashes($text), ENT_QUOTES, fusion_get_locale('charset')) : $text;
    $text = $decode == TRUE ? html_entity_decode($text, ENT_QUOTES, fusion_get_locale('charset')) : $text; // decode for double encoding.
    $text = !empty($default_image_folder) ? parse_imageDir($text, $default_image_folder) : $text;
    $text = $smileys == TRUE ? parsesmileys($text) : $text;
    $text = $bbcode == TRUE ? parseubb($text) : $text;
    $text = fusion_parse_user($text);
    $text = $add_line_breaks ? nl2br($text) : $text;
    $text = $descript == TRUE ? descript($text) : $text;

    return (string)$text;
}
```

As you can see by reading the function code of `parse_textarea()`, the text is not sanitized, which leads to the Stored XSS.

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

24 May 2020 15:24Current
8.6High risk
Vulners AI Score8.6
EPSS0.10963
270