Vulners
Lucene search
PHP-Fusion 9.03.50 Cross Site Scripting
`# Exploit Title: PHPFusion 9.03.50 - Persistent Cross-Site Scripting
# Date: 2020-05-20
# Exploit Author: coiffeur
# Vendor Homepage: https://www.php-fusion.co.uk/home.php
# Software Link: https://www.php-fusion.co.uk/php_fusion_9_downloads.php
# Version: v9.03.50
## How?
When creating a thread or editing one of his messages with HTML content, it turns out that the injected characters are correctly escaped as it can be seen when I tried here to fuzz the message field with the string `i<3"'ivoire`.
https://therealcoiffeur.github.io/captures/c5_1.png
https://therealcoiffeur.github.io/captures/c5_2.png
https://therealcoiffeur.github.io/captures/c5_3.png
It's when I became interested in the print feature that things turned out to be interesting. Indeed, the print function allows you to simplify the page as much as possible so that it contains only text. So the print function returns all messages in text format so that the content of a thread can be easily printed (in order to generate this result it is necessary to click on the button circled in blue in figure 3).
Once the page is generated by the print functionality we realize by analyzing the body of the server response, that our characters are no longer sanitized.
Now we just have to create a message that will allow us to execute JavaScript by replacing the contents of the previous message with:
```html
<img onerror="alert(1)" src=xxx>
```
https://therealcoiffeur.github.io/captures/c5_4.png
https://therealcoiffeur.github.io/captures/c5_5.png
## Why?
The route requested to generate this result is the route <span style="color:red">\<ROOT\>/print.php?type=F&item_id=1&rowstart=0</span>. It is thus page <span style="color:red">\<ROOT\>/print.php</span> which is called, with the following parameters:
```
$_GET array (size=3)
'type' => string 'F' (length=1)
'item_id' => string '1' (length=1)
'rowstart' => string '0' (length=1)
```
File: <span style="color:red">\<ROOT\>/print.php</span>
```php
...
case "F":
...
echo parse_textarea($data['post_message']);
...
```
File: <span style="color:red">\<ROOT\>/includes/core_functions_include.php</span>
```php
function parse_textarea($text, $smileys = TRUE, $bbcode = TRUE, $decode = TRUE, $default_image_folder = IMAGES, $add_line_breaks = FALSE, $descript = TRUE) {
$text = $decode == TRUE ? html_entity_decode(stripslashes($text), ENT_QUOTES, fusion_get_locale('charset')) : $text;
$text = $decode == TRUE ? html_entity_decode($text, ENT_QUOTES, fusion_get_locale('charset')) : $text; // decode for double encoding.
$text = !empty($default_image_folder) ? parse_imageDir($text, $default_image_folder) : $text;
$text = $smileys == TRUE ? parsesmileys($text) : $text;
$text = $bbcode == TRUE ? parseubb($text) : $text;
$text = fusion_parse_user($text);
$text = $add_line_breaks ? nl2br($text) : $text;
$text = $descript == TRUE ? descript($text) : $text;
return (string)$text;
}
```
As you can see by reading the function code of `parse_textarea()`, the text is not sanitized, which leads to the Stored XSS.
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
20 May 2020 00:00Current