XODA Document Management System 0.4.5 XSS / Shell Upload

Type packetstorm
Reporter Shai rod
Modified 2012-08-22T00:00:00


                                            `# Exploit Title: XODA Document Management System Stored XSS & Arbitrary File Upload Vulnerability.  
# Date: 21/08/2012  
# Exploit Author: Shai rod (@NightRang3r)  
# Vendor Homepage: http://xoda.org/  
# Software Link: http://sourceforge.net/projects/xoda/files/xoda/xoda-0.4.5/  
# Version: 0.4.5  
#Gr33Tz: @aviadgolan , @benhayak, @nirgoldshlager, @roni_bachar  
About the Application:  
XODA targets the end-user allowing organizing of documents in a professional manner.  
Vulnerability Description  
1. Arbitrary File Upload:  
It is possible to access the file upload page "?upload_to=" without the need to authenticate (log in) to the XODA system.  
An attacker is able to upload a web shell to the server and gain unauzhorized access to the operating system.  
Vulnerable URL: http://server/xodadir/?upload_to=  
Default location of uploaded files: http://server/xodadir/files/  
2. Stored XSS in file description.  
Steps to reproduce the XSS:  
2.1 Select a document.  
2.2 Click on description.  
2.3 Enter XSS Payload: <img src='1.jpg'onerror=javascript:alert(document.cookie)>  
2.4 Reload the page XSS Should be triggered.  
3. Stored XSS in filters.  
Steps to reproduce the XSS:  
3.1 Select the document.  
3.2 Click on filters.  
3.3 In the "Filters (one per line):" field insert XSS paload: <img src='1.jpg'onerror=javascript:alert(document.cookie)>  
3.4 Click "Set filters".  
3.5 Click on the document icon to open its properties.  
3.6 XSS Should be triggered.