[+] Credits: John Page aka hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-PHPFILENAVIGATOR0812c.txt Vendor: ================================ pfn.sourceforge.net Product: =================================== PHPfileNavigator v2.3.3 (pfn) Is state-of-the-art, open source web based application to complete manage your files and folders. Vulnerability Type: ========================= Persistent & Reflected XSS CVE Reference: ============== N/A Vulnerability Details: ===================== Multiple persistent XSS vulnerable fields exist on the 'Modify User' form. nome, usuario, email etc... We can leverage existing CSRF vulnerability to update a victimz profile and store malicious XSS payload or an malicious user can inject there own payloads when updating thier profilez affecting other users and the security of the whole application. Multiple reflected XSS exists as well for following PHP pages all with same vulnerable parameter 'dir' when issuing GET requests. pfn-2.3.3 application seems to filter out into the 'Name*', 'User*' or 'Email' field and click Accept button. Injecting XSS into 'name' field will store the XSS payload in the pfn MySQL database in 'pfn_usuarios' table called 'nome' in the 'nome' column. The Same fate will happen for other injected fields 'email & 'usuario'. Reflected XSS: -------------- 1) http://localhost/PHPfileNavigator/pfn-2.3.3/navega.php?PHPSESSID=HELL&dir= "

2) http://localhost/PHPfileNavigator/pfn-2.3.3/accion.php?accion=buscador&PHPSESSID=HELL&dir= "

3) http://localhost/PHPfileNavigator/pfn-2.3.3/preferencias.php?PHPSESSID=HELL&dir= "

Disclosure Timeline: ========================================================= Vendor Notification: August 8, 2015 August 12, 2015 : Public Disclosure Severity Level: ========================================================= Medium Description: ========================================================== Request Method(s): [+] POST / GET Vulnerable Product: [+] PHPfileNavigator v2.3.3 (pfn) Vulnerable Parameter(s): [+] nome, usuario, email, dir Affected Area(s): [+] Admin Vulnerability Details: ===================== No CSRF token exists when creating user accounts, this allows us to exploit the application and add arbitrary users The ?PHPSESSID= cookie used in URL is useless as we can just replace the value with whatever. e.g. ?PHPSESSID='inthesignofevil' or just omit it all together makes no difference exploit will still succeed. Next create our form POST and a self calling Javascript function, then get a logged in user to click our malicious linx or visit our webpage where they will be PWN3D. Tested using xampp-1.7.0 Exploit code(s): =============== # 0day.today [2018-03-20] #

Query Builder