XpressEngine 1.4.5.7 - Persistent Cross-Site Scripting

EDB-ID:

17639

CVE:

EDB Verified:

Author:

v0nSch3lling

Type:

webapps

Exploit: /

Platform:

PHP

Date:

2011-08-08

Vulnerable App:

# Exploit Title: XpressEngine version 1.4.5.7 Persistent XSS Vulnerability
# Date: 2011.08.08
# Author: v0nSch3lling
# Software Link: http://www.xpressengine.com
# Version: 1.4.5.7
# Tested on: Microsoft Windows XP SP2

# Case 1. Memeber Management(Delete Account)
	- Target : Memeber Management http://[HOST]/[XE_PATH]/index.php?module=admin&act=dispMemberAdminDeleteForm&member_srl=[ACCOUNT_NUMBER]
	- Method : Enter the XSS script in Nickname field.
			   Though the nickname length is 20 in signin step, the variable length is 40 in DB schema.
			   So you can enter nickname with length 40.
			   You can modify nickname field by local web proxy when you submit user information.
	- PoC : [XSS_SCRIPT]
	- Exploit : When the administrator delete a user account
	- Note : By this vulnerability, you can attack to the only administrator.
	
# Case 2. Member Management(Listup Account)
	- Target : Member Management http://[HOST]/[XE_PATH]/index.php?module=admin&act=dispMemberAdminInfo&member_srl=[ACCOUNT_NUMBER]
								 http://[HOST]/[XE_PATH]/index.php?module=admin&act=dispMemberAdminList
	- Method : Enter the XSS script in Homepage & Blog field
        - PoC : ">[String]</a>[XSS_SCRIPT]//
        - Exploit : When the administrator access the member management page
    	                 When the administrator access the member information page
        - Note : By this vulnerability, you can attack to the only administrator

Tags:

Advisory/Source: Link

Databases	Links	Sites	Solutions
Exploits	Search Exploit-DB	OffSec	Courses and Certifications
Google Hacking	Submit Entry	Kali Linux	Learn Subscriptions
Papers	SearchSploit Manual	VulnHub	OffSec Cyber Range
Shellcodes	Exploit Statistics		Proving Grounds
			Penetration Testing Services