Jump to content
Aerosol

4images Cross Site Scripting / Clickjacking

By Aerosol, in Exploituri

Recommended Posts

Aerosol Newbie

Aerosol

Posted
Posted 

# Affected software: 4images
# Type of vulnerability: clickjacking,xss
# URL: http://www.4homepages.de/
# Discovered by: Provensec
# Website: http://www.provensec.com
# Description: 4images is a powerful web-based image gallery management
system. Features include comment system, user registration and mangagement,
password protected administration area with browser-based upload and HTML
templates for page layout and design.
# Proof of concept

1st:click jacking --:

4images was vuln to clickjacking which could be exploited and used to
delete category

http://i.imgur.com/vqfz8Lk.png

clickjacking poc -:

http://prntscr.com/670r9b

2nd:  xss

adding a new category with xss payload leads to persistent xss vuln

http://prntscr.com/670rmi





-- 

Best Regards,
*Ankit Bharathan.*

*Save Energy... Save Nature... Go Green...*
P *Consider the environment. Please don't print this e-mail unless
absolutely necessary.*

Source

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...