Home / os / solaris

DataLife Engine 11.1 - Stored Cross Site Scripting XSS

Posted on 30 November -0001

<HTML><HEAD><TITLE>DataLife Engine 11.1 - Stored Cross Site Scripting (XSS)</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY>... ========================== - Discovered By : 0x3a - http://iran-cyber.net - taha[dot]0x3a[at]gmail[dot]com - Credit To Iran Cyber Security Group - Release Date : 10.8.2016 - Level : High ========================== I.Vulnerability --------------- DataLife Engine 11.1 <= Cross Site Scripting And Lower Version DataLife Engine 11 DataLife Engine 10 II.BackGround ------------- DataLife Engine (DLE) is a cms that you can make your WebSite & Forum . https://dle-news.com/ https://ru.wikipedia.org/wiki/DataLife_Engine a google search "intext:Powered+by+DataLife+Engine" returned a 1 milion website hosted by DLE https://www.google.com/search?q=intext:Powered+by+DataLife+Engine III.Introduction ---------------- DataLife Engine is a multifunctional Content Management System. Thanks to a very powerful news, articles, and users management system, DataLife Engine is designed primarily for the own mass media websites and blogs creation on the Internet. IV.DESCRIPTION -------------- DLE have security problem. it can be exploited by xss attack. This vulnerability occurs in /DLE/engine/preview.php. With this vulnerability you can inject your malicious code in website. These restrictions can be found in /DLE/engine/preview.php source file: if( $config['allow_site_wysiwyg'] ) { $title = stripslashes( $parse->process( $_POST['title'] ) ); They used $_POST function without any filter that make XSS vulnerability. With this vulnerability you can make cookie hijacking attack because when you post any text admin must check it and submit it. V.PROOF OF CONCEPT EXPLOIT -------------------------- First you must register in the DLE website. Then you can send post. Complete All Fields then open your HTTP Live Header so click on preview button POST Parameteres : title=Test&catlist%5B%5D=1&vote_title=&frage=&vote_body=&short_story=Test&full_story=Test&tags=&sec_code=174991&nview=&mod=preview And you can run your payload in this parameter : [ title ] title=<marquee>Discovered By 0x3a [ Iran Cyber Security Group]</marquee>&catlist%5B%5D=1&vote_title=&frage=&vote_body=&short_story=Test&full_story=Test&tags=&sec_code=174991&nview=&mod=preview VI.SYSTEM AFFECTED ------------------ All version of DLE Affected VII.SOLUTION ------------ 1.You can use filter function like as htmlspecialchars() , addslash() , htmlentities() to patch this vulnerability 2.You can ban registring in your website but ... ------ 0x3a</BODY></HTML>

 

TOP