Bài liên quan
####################### Exploit Title: Persistent ZeroCMS Cross-Site Scripting Vulnerability# Vendor Homepage: http://www.aas9.in/zerocms/# Software Link: https://github.com/pcx1256/zerocms/archive/master.zip# Version: 1.0?# Date: 2014-07-25# Tested on: Windows 7 / Mozilla Firefox Ubuntu 14.04 / Mozilla Firefox# CVE: CVE-2014-4710####################### Vulnerability Disclosure Timeline:2014-06-15: Discovered vulnerability2014-06-23: Vendor Notification (Support e-mail address)2014-07-25: Public Disclosure# DescriptionZeroCMS is a very simple Content Management System Built using PHP andMySQL.The application does not validate any input to the "Full Name", "EmailAddress", "Password" or "Confirm Password" functionality. It saves thisunsanitized input in the backend databased and executes it when visitingthe subsequent or any logged-in pages.####################### Steps to reproduce the vulnerability1) Visit the "Create Account" page (eg.http://localhost/zerocms/zero_transact_user.php)2) Enter your favourite XSS payload and click on "Create Account"3) Enjoy!More information:https://community.qualys.com/blogs/securitylabs/2014/07/24/yet-another-zerocms-cross-site-scripting-vulnerability-cve-2014-4710#####################Thanks,Mayuresh.
Post a Comment