esoTalk 1.0.0g4: XSS
Date: 2015-12-21 10:26:511. Introduction
| Affected Product: | esoTalk 1.0.0g4 |
| Fixed in: | not fixed |
| Fixed Version Link: | n/a |
| Vendor Contact: | toby@esotalk.org |
| Vulnerability Type: | XSS |
| Remote Exploitable: | Yes |
| Reported to vendor: | 11/17/2015 |
| Disclosed to public: | 12/21/2015 |
| Release mode: | Full Disclosure |
| CVE: | n/a |
| Credits | Tim Coen of curesec GmbH |
2. Overview
CVSS
Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
Description
esoTalk is a light-weight forum software written in PHP. In version 1.0.0g4 and possibly prior versions, there is a reflected XSS vulnerability in the search because a given URL is echoed unencoded in multiple places.
Successful exploitation may lead to the injection of JavaScript keyloggers, the stealing of cookies, or the bypassing of CSRF protection.
3. Proof of Concept
http://localhost/esoTalk-1.0.0g4/conversations/a'"><img src=no onerror=alert(1)>?search=test
4. Solution
This issue was not fixed by the vendor.
5. Report Timeline
| 11/17/2015 | Informed Vendor about Issue (no reply) |
| 12/10/2015 | Reminded Vendor of Disclosure Date (no reply) |
| 12/21/2015 | Disclosed to public |