###########################

# Eleanor 1.0 Cms Stored Cross Site Scripting Vulnerability

###########################

...
==========================
- Discovered By : 0x3a
- http://iran-cyber.net
- 0x3a.taha[at]gmail.com
- Credit To Iran Cyber Security Group

- Release Date : 10.8.2016
- Level : High
==========================
I.Vulnerability
---------------
Eleanor 1.0 <= Stored Cross Site Scripting

II.BackGround
-------------
Eleanor is CMS that you make your website with it.

eleanor-cms.ru
eleanor-cms.ir

a google search \"intext:Powered+by+Eleanor+CMS\" returned about 300.000 website hosted by ELEANOR.

III.DESCRIPTION
----------------
Eleanor have security problem. it can be exploited by xss attack.
This vulnerability occurs in /ELEANOR/modules/account/ajax/index.php.
With this vulnerability you can inject your malicious code in website.


These restrictions can be found in /ELEANOR/modules/account/ajax/index.php source file:

[Line 69] $descr=isset($_REQUEST[\'descr\']) ? Strings::CutStr(trim($_REQUEST[\'descr\']),497) : \'\';

They used $_REQUEST function without any filter that make XSS vulnerability.
With this vulnerability you can make cookie hijacking attack if admin see your profile.

IV.PROOF OF CONCEPT EXPLOIT
---------------------------
1. Register in site that hosted by Eleanor CMS.
2. You can add address in your profile.
3. in description you can send your malicious code .

POST Parameters :
event=add_bookmark&title=0x3a&descr=<marquee><font size=8 color=red face=\"arial black\">0x3a [Iran-Cyber.Net]</font></marquee>&href=iran-cyber.net&imp=1&value=&bmodule=0&module=account

And you can run your payload in this parameter :
[ descr ]

Pic Test : goo.gl/CTr71D

V.SYSTEM AFFECTED
-----------------
All version of Eleanor CMS affected .

VI.SOLUTION
-----------
You can use filter function like as htmlspecialchars() , addslash() , htmlentities() to patch this
vulnerability

----
0x3a

###########################

# Iranian Exploit DataBase = http://IeDb.Ir [2017-01-10]

###########################