...don't worry. Most of them are located in admin-part-of-webapp but there is one more little bug that can be used during your pentest.
So you (as an admin) can create 'new user'. Go to the Dashboard->Users & Groups to do that:
Thing is when you will create that 'newuser' ("no Admin" of course) there will be an error message:
So ok. User is created, I tried to use new account and switched to 'tester2':
"Access denied." Great but as you can see there is a link to 'Tools' as well where we can find Email templates:
On the link we will find a nice form unfortunately vulnerable to XSS:
Let's try:
Click 'Add' to see something like:
Let's try to add something else:
:]
To make it more 'persistent' we need to add more content to fields available in our 'email template':
And we should see:
Now when you will switch again to the admin account, go to the Tools->Email templates, and see that the code added by user 'without any permissions' set ("access denied") - even if he/she can login - admin is still exposed to XSS-attacks:
Case for you - to use Burp (ex: 'Battering Attack') to check if there is possibility to inject some other tags than 'marquee' ... ;)
Anyway...
Few other places vulnerable (this time only for admin panel) are described below:
# Max number of lines for widgets:
To grab the name of the param I used DeveloperTools available in Firefox:
Now we can try to find that param name in the source:
Let's read ./admin/boxes.php to check lines mentionedby grep:
Ok I see some potential here ;) We will use that "pattern" later:
dolibarr_set_const($db, "MAIN...", $_POST["MAIN..."],'',0,'',$conf->entity);
Let's go directly to the line 51:
And here we are - line 471:
It's just an example... "Reason" I think so ;)
I decided to save the output to /tmp/set_const.txt to read it later. Trying very first file - limits.php
Checking:
Ok, let's 'modify' some values (goto 'Limits' section and click 'Modify'):
Using the same (marquee)payload we tried before.. Checking:
Maybe later I'll find something else.
Cheers
Brak komentarzy:
Prześlij komentarz