Search for hundreds of thousands of exploits

"PHPFusion 9.03.50 - Persistent Cross-Site Scripting"

Author

Exploit author

coiffeur

Platform

Exploit platform

php

Release date

Exploit published date

2020-05-21

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
# Exploit Title: PHPFusion 9.03.50 - Persistent Cross-Site Scripting
# Date: 2020-05-20
# Exploit Author: coiffeur
# Vendor Homepage: https://www.php-fusion.co.uk/home.php
# Software Link: https://www.php-fusion.co.uk/php_fusion_9_downloads.php
# Version: v9.03.50

## How?

When creating a thread or editing one of his messages with HTML content, it turns out that the injected characters are correctly escaped as it can be seen when I tried here to fuzz the message field with the string `i<3"'ivoire`.

https://therealcoiffeur.github.io/captures/c5_1.png

https://therealcoiffeur.github.io/captures/c5_2.png

https://therealcoiffeur.github.io/captures/c5_3.png

It's when I became interested in the print feature that things turned out to be interesting. Indeed, the print function allows you to simplify the page as much as possible so that it contains only text. So the print function returns all messages in text format so that the content of a thread can be easily printed (in order to generate this result it is necessary to click on the button circled in blue in figure 3). 

![alt text](../captures/c5_4.png "Figure 5: Injection of HTML character (part 3)")

![alt text](../captures/c5_5.png "Figure 6: Injection of HTML character (part 3)")

Once the page is generated by the print functionality we realize by analyzing the body of the server response, that our characters are no longer sanitized.

Now we just have to create a message that will allow us to execute JavaScript by replacing the contents of the previous message with:

```html
<img onerror="alert(1)" src=xxx>
```

https://therealcoiffeur.github.io/captures/c5_4.png

https://therealcoiffeur.github.io/captures/c5_5.png

## Why?

The route requested to generate this result is the route <span style="color:red">\<ROOT\>/print.php?type=F&item_id=1&rowstart=0</span>. It is thus page <span style="color:red">\<ROOT\>/print.php</span> which is called, with the following parameters:

```
$_GET array (size=3)
    'type' => string 'F' (length=1)
    'item_id' => string '1' (length=1)
    'rowstart' => string '0' (length=1)
```

File: <span style="color:red">\<ROOT\>/print.php</span>
```php

...

case "F":
    ...

    echo parse_textarea($data['post_message']);

    ...

```


File: <span style="color:red">\<ROOT\>/includes/core_functions_include.php</span>
```php
function parse_textarea($text, $smileys = TRUE, $bbcode = TRUE, $decode = TRUE, $default_image_folder = IMAGES, $add_line_breaks = FALSE, $descript = TRUE) {
    $text = $decode == TRUE ? html_entity_decode(stripslashes($text), ENT_QUOTES, fusion_get_locale('charset')) : $text;
    $text = $decode == TRUE ? html_entity_decode($text, ENT_QUOTES, fusion_get_locale('charset')) : $text; // decode for double encoding.
    $text = !empty($default_image_folder) ? parse_imageDir($text, $default_image_folder) : $text;
    $text = $smileys == TRUE ? parsesmileys($text) : $text;
    $text = $bbcode == TRUE ? parseubb($text) : $text;
    $text = fusion_parse_user($text);
    $text = $add_line_breaks ? nl2br($text) : $text;
    $text = $descript == TRUE ? descript($text) : $text;

    return (string)$text;
}
```

As you can see by reading the function code of `parse_textarea()`, the text is not sanitized, which leads to the Stored XSS.
Release DateTitleTypePlatformAuthor
2020-09-18"Mantis Bug Tracker 2.3.0 - Remote Code Execution (Unauthenticated)"webappsphp"Nikolas Geiselman"
2020-09-16"Piwigo 2.10.1 - Cross Site Scripting"webappsphpIridium
2020-09-15"ThinkAdmin 6 - Arbitrarily File Read"webappsphpHzllaga
2020-09-15"Tailor MS 1.0 - Reflected Cross-Site Scripting"webappsphpboku
2020-09-14"Joomla! paGO Commerce 2.5.9.0 - SQL Injection (Authenticated)"webappsphp"Mehmet Kelepçe"
2020-09-10"CuteNews 2.1.2 - Remote Code Execution"webappsphp"Musyoka Ian"
2020-09-09"Tailor Management System - 'id' SQL Injection"webappsphpMosaaed
2020-09-07"grocy 2.7.1 - Persistent Cross-Site Scripting"webappsphp"Mufaddal Masalawala"
2020-09-03"BloodX CMS 1.0 - Authentication Bypass"webappsphpBKpatron
2020-09-03"Daily Tracker System 1.0 - Authentication Bypass"webappsphp"Adeeb Shah"
Release DateTitleTypePlatformAuthor
2020-07-01"PHP-Fusion 9.03.60 - PHP Object Injection"webappsphpcoiffeur
2020-05-21"PHPFusion 9.03.50 - Persistent Cross-Site Scripting"webappsphpcoiffeur
2020-05-06"YesWiki cercopitheque 2020.04.18.1 - 'id' SQL Injection"webappsphpcoiffeur
2020-04-20"WordPress Plugin Simple File List 5.4 - Remote Code Execution"webappsphpcoiffeur
import requests
response = requests.get('https://www.nmmapper.com/api/v1/exploitdetails/48497/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.