Cross-Site Scripting (XSS) in Feng Office

2013-09-18T00:00:00
ID HTB23174
Type htbridge
Reporter High-Tech Bridge
Modified 2013-10-09T00:00:00

Description

High-Tech Bridge Security Research Lab discovered vulnerability in Feng Office, which can be exploited to perform Cross-Site Scripting (XSS) attacks against users of vulnerable application.

1) Cross-Site Scripting (XSS) in Feng Office: CVE-2013-5744
1.1 The vulnerability exists due to insufficient sanitisation of user-supplied data in "ref_[any]" HTTP GET parameter passed to "/index.php" script. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
The exploitation example below uses JavaScript "alert()" function to display user's cookies:
http://[host]/index.php?c=access&a=login&ref_abc=%22%3E%3Cscript%3Ealert%28d ocument.cookie%29;%3C/script%3E