Feng Office - Stored XSS

2014-08-06T00:00:00
ID EDB-ID:34277
Type exploitdb
Reporter Juan Sacco
Modified 2014-08-06T00:00:00

Description

Feng Office - Stored XSS. Webapps exploit for php platform

                                        
                                            # Affected software: Feng Office - URL: http://www.fengoffice.com/web/demo.php
# Discovered by: Provensec
# Website: http://www.provensec.com
# Type of vulnerability: XSS Stored
#
# Feng Office is a Collaboration tool that includes a CRM, Communication,
Document Management, Tasks, E-mails, Documents, Internal messages, Time
tracking,
Billing, Calendar, Gantt Charts, Reminders, and more.
#
# Description: Feng Office is prone to a Persistent Cross Site Scripting
attack that allows a malicious user to inject HTML or scripts that can
access any cookies, session tokens, or other
sensitive information retained by your browser and used with that site.
# Proof of concept:
# 1. Create or Edit a client
# 2. Complete the field Name ( customer[name] ) using this value:
"><script>alert('XSS by Provensec')</script>
# 3. Save changes.
# 4. Share your client in the Activity feed to infect others.