header-logo
Suggest Exploit
vendor:
XpressEngine
by:
v0nSch3lling
7.5
CVSS
HIGH
Persistent XSS
79
CWE
Product Name: XpressEngine
Affected Version From: 1.4.5.7
Affected Version To: 1.4.5.7
Patch Exists: NO
Related CWE: N/A
CPE: a:xpressengine:xpressengine:1.4.5.7
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Microsoft Windows XP SP2
2011

XpressEngine version 1.4.5.7 Persistent XSS Vulnerability

When the administrator delete a user account, an attacker can enter a XSS script in the Nickname field. Though the nickname length is 20 in signin step, the variable length is 40 in DB schema. So an attacker can enter a nickname with length 40. An attacker can also modify the nickname field by local web proxy when submitting user information. When the administrator access the member management page or the member information page, an attacker can enter a XSS script in the Homepage & Blog field.

Mitigation:

Input validation should be used to prevent XSS attacks. Sanitize user input and encode output to prevent XSS attacks.
Source

Exploit-DB raw data:

# Exploit Title: XpressEngine version 1.4.5.7 Persistent XSS Vulnerability
# Date: 2011.08.08
# Author: v0nSch3lling
# Software Link: http://www.xpressengine.com
# Version: 1.4.5.7
# Tested on: Microsoft Windows XP SP2

# Case 1. Memeber Management(Delete Account)
	- Target : Memeber Management http://[HOST]/[XE_PATH]/index.php?module=admin&act=dispMemberAdminDeleteForm&member_srl=[ACCOUNT_NUMBER]
	- Method : Enter the XSS script in Nickname field.
			   Though the nickname length is 20 in signin step, the variable length is 40 in DB schema.
			   So you can enter nickname with length 40.
			   You can modify nickname field by local web proxy when you submit user information.
	- PoC : [XSS_SCRIPT]
	- Exploit : When the administrator delete a user account
	- Note : By this vulnerability, you can attack to the only administrator.
	
# Case 2. Member Management(Listup Account)
	- Target : Member Management http://[HOST]/[XE_PATH]/index.php?module=admin&act=dispMemberAdminInfo&member_srl=[ACCOUNT_NUMBER]
								 http://[HOST]/[XE_PATH]/index.php?module=admin&act=dispMemberAdminList
	- Method : Enter the XSS script in Homepage & Blog field
        - PoC : ">[String]</a>[XSS_SCRIPT]//
        - Exploit : When the administrator access the member management page
    	                 When the administrator access the member information page
        - Note : By this vulnerability, you can attack to the only administrator

Navigation

Suggest Exploit

Services By CQR