Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

e107 Persistant XSS vulnerability

🗓️ 21 Feb 2013 00:00:00Reported by Zyklon BType 
zdt
 zdt🔗 0day.today👁 25 Views

E107 CMS Persistant XSS vulnerability affecting versions 0.7.22 to 1.0.3 RC

Code
###############################################################################

# Exploit Title: E107 CMS Persistant XSS vulnerability
# Google Dork: "intitle:e107 powered website" | inurl:e107_admin  |  ...
# Date: 18/02/2013
# Exploit Author: Zyklon B
# Vendor Homepage: http://e107.org/
# Software Link: http://sourceforge.net/projects/e107/files/e107/
# Version: 0.7.22 ; 0.7.23 ; 0.7.24 ; 0.7.25 ; 0.7.26 ; 1.0.0 ; 1.0.1 ; 1.0.2 rc1 ; 1.0.2 ; 1.0.3 RC1 (Untested for older versions)
# Tested on: Windows 7 x86 - Broswer: Firefox


ADMIN ACCESS REQUIRED.

LEVEL RISK: MEDIUM.


###############################################################################

Demo: http://www.softaculous.com/demos/e107  - usr: admin ; pwd: password


Method: POST


Vulnerable file: TARGET/e107_admin/banlist.php


Vulnerable parameters: ban_ip 
                       ban_reason


Name of the fields corresponding to these parameters: "Enter IP, email address, or host"
                                                      "Reason"
                                                     



STEPS (localhost);


1-Go to http://localhost/name_of_the_cms_folder/e107_admin/banlist.php


2- Enter in one of these fields the following commands: <script>YOUR_XSS_SCRIPT_GOES_HERE</script>

Examples;
<script>window.location="http://www.google.com/";</script>
<script>alert(document.cookie)</script>
and so on.


3- You're done. When you come back on banlist.php, the script will be activated again.
   The only way to delete it is to delete the line using PHPMYADMIN or another SQL manager.


---------------------------------------------------------------------------------
View - screenshot under E107 v1.0.2 (localhost): http://i.imgur.com/TfSn1nv.png
       screenshot in the source code: http://i.imgur.com/KnMCfua.png
---------------------------------------------------------------------------------


*********************************************
Impact noted: 

-May cause problems to the owner. He becomes vulnerable when he goes in the banning section if an attacker successes to enter and makes a redirection to a malicious URL/script (EG. cookie stealer)

-May cause problems to the user. If the user's banned IP tries to connect to the website, he is vulnerable because the reason of the ban appears.If the ban reason field is infected
AND linked to this IP, the user incurs the risk of malicious redirection and/or undergoes bugs.

-As there is apparently no character limit, an XSS worm may be writable into these fields.

*********************************************

#  0day.today [2018-03-14]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
21 Feb 2013 00:00Current
7.1High risk
Vulners AI Score7.1
e107 cms; persistant xss; vulnerability; banlist; admin access; medium risk; xss script; sql manager; malicious url; cookie stealer; user vulnerability; 0day exploit
25