Search for hundreds of thousands of exploits

"PHPFusion 9.03.50 - Persistent Cross-Site Scripting"

Author

Exploit author

coiffeur

Platform

Exploit platform

php

Release date

Exploit published date

2020-05-21

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
# Exploit Title: PHPFusion 9.03.50 - Persistent Cross-Site Scripting
# Date: 2020-05-20
# Exploit Author: coiffeur
# Vendor Homepage: https://www.php-fusion.co.uk/home.php
# Software Link: https://www.php-fusion.co.uk/php_fusion_9_downloads.php
# Version: v9.03.50

## How?

When creating a thread or editing one of his messages with HTML content, it turns out that the injected characters are correctly escaped as it can be seen when I tried here to fuzz the message field with the string `i<3"'ivoire`.

https://therealcoiffeur.github.io/captures/c5_1.png

https://therealcoiffeur.github.io/captures/c5_2.png

https://therealcoiffeur.github.io/captures/c5_3.png

It's when I became interested in the print feature that things turned out to be interesting. Indeed, the print function allows you to simplify the page as much as possible so that it contains only text. So the print function returns all messages in text format so that the content of a thread can be easily printed (in order to generate this result it is necessary to click on the button circled in blue in figure 3). 

![alt text](../captures/c5_4.png "Figure 5: Injection of HTML character (part 3)")

![alt text](../captures/c5_5.png "Figure 6: Injection of HTML character (part 3)")

Once the page is generated by the print functionality we realize by analyzing the body of the server response, that our characters are no longer sanitized.

Now we just have to create a message that will allow us to execute JavaScript by replacing the contents of the previous message with:

```html
<img onerror="alert(1)" src=xxx>
```

https://therealcoiffeur.github.io/captures/c5_4.png

https://therealcoiffeur.github.io/captures/c5_5.png

## Why?

The route requested to generate this result is the route <span style="color:red">\<ROOT\>/print.php?type=F&item_id=1&rowstart=0</span>. It is thus page <span style="color:red">\<ROOT\>/print.php</span> which is called, with the following parameters:

```
$_GET array (size=3)
    'type' => string 'F' (length=1)
    'item_id' => string '1' (length=1)
    'rowstart' => string '0' (length=1)
```

File: <span style="color:red">\<ROOT\>/print.php</span>
```php

...

case "F":
    ...

    echo parse_textarea($data['post_message']);

    ...

```


File: <span style="color:red">\<ROOT\>/includes/core_functions_include.php</span>
```php
function parse_textarea($text, $smileys = TRUE, $bbcode = TRUE, $decode = TRUE, $default_image_folder = IMAGES, $add_line_breaks = FALSE, $descript = TRUE) {
    $text = $decode == TRUE ? html_entity_decode(stripslashes($text), ENT_QUOTES, fusion_get_locale('charset')) : $text;
    $text = $decode == TRUE ? html_entity_decode($text, ENT_QUOTES, fusion_get_locale('charset')) : $text; // decode for double encoding.
    $text = !empty($default_image_folder) ? parse_imageDir($text, $default_image_folder) : $text;
    $text = $smileys == TRUE ? parsesmileys($text) : $text;
    $text = $bbcode == TRUE ? parseubb($text) : $text;
    $text = fusion_parse_user($text);
    $text = $add_line_breaks ? nl2br($text) : $text;
    $text = $descript == TRUE ? descript($text) : $text;

    return (string)$text;
}
```

As you can see by reading the function code of `parse_textarea()`, the text is not sanitized, which leads to the Stored XSS.
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
Release Date Title Type Platform Author
2020-07-01 "PHP-Fusion 9.03.60 - PHP Object Injection" webapps php coiffeur
2020-05-21 "PHPFusion 9.03.50 - Persistent Cross-Site Scripting" webapps php coiffeur
2020-05-11 "WordPress Plugin Simple File List 4.2.2 - Remote Code Execution" webapps php coiffeur
2020-05-06 "YesWiki cercopitheque 2020.04.18.1 - 'id' SQL Injection" webapps php coiffeur
2020-04-20 "WordPress Plugin Simple File List 5.4 - Remote Code Execution" webapps php coiffeur
import requests
response = requests.get('http://127.0.0.1:8181/api/v1/exploitdetails/48497/?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.