DataLife Engine versions 11.1 and below suffer from a cross site scripting vulnerability.
ea889cf18fd2c4e8f46edc59936b5c7c8def113b7e7918f531a75da94518c057
...
==========================
- Discovered By : 0x3a
- http://iran-cyber.net
- taha[dot]0x3a[at]gmail[dot]com
- Credit To Iran Cyber Security Group
- Release Date : 10.8.2016
- Level : High
==========================
I.Vulnerability
---------------
DataLife Engine 11.1 <= Cross Site Scripting And Lower Version
DataLife Engine 11
DataLife Engine 10
II.BackGround
-------------
DataLife Engine (DLE) is a cms that you can make your WebSite & Forum .
https://dle-news.com/https://ru.wikipedia.org/wiki/DataLife_Engine
a google search "intext:Powered+by+DataLife+Engine" returned a 1
milion website hosted by DLE
https://www.google.com/search?q=intext:Powered+by+DataLife+Engine
III.Introduction
----------------
DataLife Engine is a multifunctional Content Management System. Thanks
to a very powerful news, articles, and users management system,
DataLife Engine is designed primarily for the own mass media websites
and blogs creation on the Internet.
IV.DESCRIPTION
--------------
DLE have security problem. it can be exploited by xss attack.
This vulnerability occurs in /DLE/engine/preview.php.
With this vulnerability you can inject your malicious code in website.
These restrictions can be found in /DLE/engine/preview.php source file:
if( $config['allow_site_wysiwyg'] ) {
$title = stripslashes( $parse->process( $_POST['title'] ) );
They used $_POST function without any filter that make XSS vulnerability.
With this vulnerability you can make cookie hijacking attack because
when you post any text admin must check it and
submit it.
V.PROOF OF CONCEPT EXPLOIT
--------------------------
First you must register in the DLE website.
Then you can send post. Complete All Fields then open your HTTP Live
Header so click
on preview button
POST Parameteres :
title=Test&catlist%5B%5D=1&vote_title=&frage=&vote_body=&short_story=Test&full_story=Test&tags=&sec_code=174991&nview=&mod=preview
And you can run your payload in this parameter :
[ title ]
title=<marquee>Discovered By 0x3a [ Iran Cyber Security
Group]</marquee>&catlist%5B%5D=1&vote_title=&frage=&vote_body=&short_story=Test&full_story=Test&tags=&sec_code=174991&nview=&mod=preview
VI.SYSTEM AFFECTED
------------------
All version of DLE Affected
VII.SOLUTION
------------
1.You can use filter function like as htmlspecialchars() , addslash()
, htmlentities() to patch this
vulnerability
2.You can ban registring in your website but ...
------
0x3a