header-logo
Suggest Exploit
vendor:
N/A
by:
WCuestas, Chelano, Perverths0, SeguridadBlanca READERS, Exploit-DB
7.5
CVSS
HIGH
Cross-Site Scripting (XSS)
79
CWE
Product Name: N/A
Affected Version From: Unknown
Affected Version To: Unknown
Patch Exists: Unknown
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
Unknown

PoC: XSS in Installation File

The web application is vulnerable to XSS in its installation file. An attacker can post data without any security, allowing them to put malicious code in the host textbox on the install.php?step=2 page. This malicious code can then be executed, allowing for path disclosure.

Mitigation:

Input validation should be used to prevent malicious code from being executed.
Source

Exploit-DB raw data:

The PoC:

1.- Preview

This web APP is Vulnerable to xss in its instalation file but you can  
misconfigurate all the
code with this bug also, you must see to understand...


2.- Vulnerable Code

function database_setup(){


   if( isset($_POST['form_data']) ){

  $host = (string) $_POST['DATABASE_HOST'];

     $user = (string) $_POST['DATABASE_USER'];

     $pass = (string) $_POST['DATABASE_PASSWORD'];

     $tabl = (string) $_POST['DATABASE_TABLESPACE'];

    $prefix = (string) $_POST['DATABASE_TABLE_PREFIX'];





3.- Expl0tation
First Bug its where you just post data without nothing in security so  
you can put in the
host textbox on the install.php?step=2 ">  
in which usually
is written localhost and in other .php files (install.php) they show  
$host so the Xss its
notable...


4.- More Vuln Code...


     $this->set_conf_property('DATABASE_HOST', $host);


you may think theres no problem with this step but...
if you write the DATABSE_HOST with host being explotated it could  
be...interesting...


5.- MORE

define('DATABASE_HOST', 'localhost');


This is the execelent example to show you how it can work like a PHP DROP...

just put something like "> in the  
DATABASE_HOST textbox

and excecute, just refresh and...

Path Disclosure...

\openchat\config.inc.php on line 135

6.- Gr33tz:

http://www.seguridadblanca.org - WCuestas - Chelano - Perverths0 -  
SeguridadBlanca READERS
- Exploit-DB && FRIENDS =)


====================
31337 HAPPY HACKING
====================