Multiple Stored XSS
Payload = <script>alert('AppleBois');</script>
/webtareas/clients/editclient.php || Name , City, Country, Phone, Fax
/webtareas/extensions/addextension.php? || Title || Trigger : /Tareas/webtareas/extensions/viewextension.php?id=1&borne1=0
/webtareas/administration/add_announcement.php? || Subject || Trigger: /webtareas/general/newnotifications.php
/webtareas/administration/departments.php?mode=add || Name printed || Trigger: /webtareas/administration/departments.php
/webtareas/administration/locations.php?mode=add || Name printed ||Trigger: /webtareas/administration/locations.php?mode=list&msg=add#locAnchor
/webtareas/expenses/claim_type.php?mode=add#eExAnchor || Name printed || Trigger: /webtareas/expenses/editexpense.php?recurring=&project=0
/webtareas/projects/editproject.php || Name || /webtareas/projects/viewproject.php?id={depend on the id of project}&msg=add#epDAnchor
/webtareas/general/newnotifications.php || Will Trigger if <script>alert('AppleBois');</script> display on Recent Visited Pages
Directory Listing || Uploaded content disclosed
/webtareas/files/Default/
File Upload to Remote Shell Execution --> https://medium.com/@tehwinsam/webtareas-2-1-c8b406c68c2a
Diff:
Diff:
patch released : webTareas v2.1 p1
Problem not solved.
[Uploaded File Disclosure]
Unauthenticated User can view content of /webtareas/files/Default/
[File Upload to execute Calculator.exe]
Client allowed to upload malicious .shtml extension
Which can pop a calculator or cmd.exe and more include PowerShell.exe
After uploaded, unauthenticated can browse the "URL" as i mentioned
http://IP/webtareas/files/Default/a--4.v1.0.shtml to pop a calculator.
[Suggestion to fix]
Verify SESSION before viewing --> /webtareas/files/Default/
want to upload anyfiles no problem, as long as /webtareas/files/Default/ not execute serverside's script, meaning the files that we're clicking will be downloaded and not executed.
Another Solution might be easy to fix, the uploaded content can store out of the web root directory
If you want Mandarin version(华语) i can translate.
Last edit: AppleBois 2020-06-24
webTareas v2.1 p3 released