[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

EQDKP plus Cross Site Scripting and Bypass file extension



Hello!

I have found a vulnerability in the EQDKP Plus.
More precisely in the plugin mediacenter.

Because of incorrectly checks the file extension
it is possible to upload the "htm" file and execute
XSS attack.

But with some restrictions. The plugin checks the contents for tags:

[code=plugins/mediacenter/include/mediacenter.class.php:421]
function check_content($fieldname){
		
$disallowed = "body|head|html|img|plaintext|a href|pre|script|table|title|php";
$disallowed_content = explode('|', $disallowed);
if (empty($disallowed_content))
	{
		return false;
}
[/code]

To get around this, you can use the Next design:
[code]
<iframe src="http://yandex.ru"; style="display: none" onload="alert('XSS')">
</iframe>
[/code]

After downloading the file to the server, you can find the file on request:
http://site.com/dkp/plugins/mediacenter/index.php?mode=ajax&id = [ID].
[ID] - simple exhaustive search.

Example:
http://www.eqdkp-plus.com/demo06/data/d2c0752ce264405a0555a3825c2494f2/mediacenter/thumbs_b/ee5bb2c59c237307d61bcb0bae1e08f2.htm

Vulnerable versions: <=0.6.4.5

P.S.
 Sorry for my bad english. :)

 Best Regards,
 iPower.