XpressEngine 1.4.5.7 - Persistent Cross-Site Scripting

EDB-ID:

17639

CVE:





Platform:

PHP

Date:

2011-08-08


Become a Certified Penetration Tester

Enroll in Advanced Web Attacks and Exploitation , the course required to become an Offensive Security Web Expert (OSWE)

GET CERTIFIED

# Exploit Title: XpressEngine version 1.4.5.7 Persistent XSS Vulnerability
# Date: 2011.08.08
# Author: v0nSch3lling
# Software Link: http://www.xpressengine.com
# Version: 1.4.5.7
# Tested on: Microsoft Windows XP SP2

# Case 1. Memeber Management(Delete Account)
	- Target : Memeber Management http://[HOST]/[XE_PATH]/index.php?module=admin&act=dispMemberAdminDeleteForm&member_srl=[ACCOUNT_NUMBER]
	- Method : Enter the XSS script in Nickname field.
			   Though the nickname length is 20 in signin step, the variable length is 40 in DB schema.
			   So you can enter nickname with length 40.
			   You can modify nickname field by local web proxy when you submit user information.
	- PoC : [XSS_SCRIPT]
	- Exploit : When the administrator delete a user account
	- Note : By this vulnerability, you can attack to the only administrator.
	
# Case 2. Member Management(Listup Account)
	- Target : Member Management http://[HOST]/[XE_PATH]/index.php?module=admin&act=dispMemberAdminInfo&member_srl=[ACCOUNT_NUMBER]
								 http://[HOST]/[XE_PATH]/index.php?module=admin&act=dispMemberAdminList
	- Method : Enter the XSS script in Homepage & Blog field
        - PoC : ">[String]</a>[XSS_SCRIPT]//
        - Exploit : When the administrator access the member management page
    	                 When the administrator access the member information page
        - Note : By this vulnerability, you can attack to the only administrator