Description:
Found authenticated Stored Cross-Site Scripting (XSS) on pluck 4.7.15.
Affected Endpoint:
http://192.168.0.211/admin.php?action=files
Evidence:
Login to the admin account. Use the following URL (http://192.168.0.211/admin.php?action=files) or navigate to pages -> manage files.
Upload the HTML file which contain normal XSS payload.
Intercept the request with Burp Suite.
Modify the Content-Type to application/x-php and forward the request.
File uploaded successfully.
View the sample.html file with the lens icon next to the filename or uploaded file should be stored in (http://192.168.0.211/file/sample.html).
Observed that our XSS payload is executed successfully.
Admin credential is requried to upload this file. Once the file is uploaded we can able to access even without login.
Recommendation:
- Validate the upload file similarly validating the sanitizePageContent.