Stored XSS – my little forum

my little forum

The platform ‘my little forum’ is a web forum based on PHP and MySQL that displays messages in a threaded view.
Version Affected: 2.4.12
Vulnerability: Stored Cross Site Scripting

Description: Cross site scripting (XSS) is a common attack vector that injects malicious code into a vulnerable web application. Depending on the severity of the attack, user accounts may be compromised, Trojan horse programs activated and page content modified, misleading users into willingly surrendering their private data. Finally, session cookies could be revealed, enabling a perpetrator to impersonate valid users and abuse their private accounts.
An administrator of the forum can inject XSS payload in Title field and Menu Link filed (where HTML content is not permitted) while adding a page to the forum.

Payload Used: <script>alert(“XSS1”);</script>

Steps to reproduce:

  1. Launch the application.
  2. On the index page, login using the credentials created when registered, here logged in as admin/admin.
  3. After logging in, while navigating through the site, the link to Admin page seemed interesting.
  4. Whilst on the Admin page, we get to see a lot of functionalities like: Forum setting, User administration, pages etc. Please note that the version of the forum software is 2.4.12 in below screenshot
  5. Here Pages seemed like a good option for targeting my little forum with cross site scripting. So went forward with it. On the Pages page, we see an option to Add page.
  6. On proceeding with Add page option we come across a web page allowing us to create a post in the forum. The various fields where a user can input text are: i) The Tittle field ii) The content field iii) The Menu Link field.
  7. The content field explicitly mentions HTML tags can be used formatting. Therefore, tried the xss payload over the other two fields, the Title field and the Mail Link field, where HTML content is not allowed.
  8. Using the basic XSS payload: <script> alert(“XSS 1”); </script> and <script> alert(“XSS 2”); </script> on respective fields.
  9. Upon clicking the ‘OK-Save page’ button, we see that alert box containing the text had successfully popped up for both payloads.

        

While a user visits the forum home page, our XSS payload gets executed on the user’s browser as shown below.

Leave a Reply

Your email address will not be published. Required fields are marked *