Gazelle – Cross-Site Scripting (XSS) in “multiple_freeleech.php”

[bestshow]

Product: Gazelle Download: https://github.com/WhatCD/Gazelle Vunlerable Version: latest version Tested Version: latest version Author: ADLab of Venustech

Advisory Details: Multiple Cross-Site Scripting (XSS) were discovered in “Gazelle latest version”, which can be exploited to execute arbitrary code. The vulnerabilities exist due to insufficient filtration of user-supplied data in multiple HTTP POST parameters passed to the “Gazelle-master/sections/tools/managers/multiple_freeleech.php” URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. The exploitation examples below use the "alert()" JavaScript function to see a pop-up messagebox: Poc: (1) Post: torrents=To <a rel="noreferrer nofollow" target="_blank" href="http://localhost/.../Gazelle-master/sections/tools/managers/multiple_freeleech.php">http://localhost/.../Gazelle-master/sections/tools/managers/multiple_freeleech.php</a> (2) Post: size= " /><script>alert(1);</script><input text="type To <a rel="noreferrer nofollow" target="_blank" href="http://localhost/.../Gazelle-master/sections/tools/managers/multiple_freeleech.php">http://localhost/.../Gazelle-master/sections/tools/managers/multiple_freeleech.php</a></p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/scriptzteam"><img src="https://avatars.githubusercontent.com/u/533180?v=4" />scriptzteam</a> commented <strong> 7 years ago</strong> </div> <div class="markdown-body"> <p>:)</p> <p><a href="https://github.com/scriptzteam/Gazelle---Torrent-Tracker-ANTi-XSS">https://github.com/scriptzteam/Gazelle---Torrent-Tracker-ANTi-XSS</a></p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/bestshow"><img src="https://avatars.githubusercontent.com/u/5211744?v=4" />bestshow</a> commented <strong> 7 years ago</strong> </div> <div class="markdown-body"> <p>Thanks. You mean you have developed this tool to solve these issues which I reported ?</p> </div> </div> <div class="page-bar-simple"> </div> <div class="footer"> <ul class="body"> <li>© <script> document.write(new Date().getFullYear()) </script> Githubissues.</li> <li>Githubissues is a development platform for aggregating issues.</li> </ul> </div> <script src="https://cdn.jsdelivr.net/npm/jquery@3.5.1/dist/jquery.min.js"></script> <script src="/githubissues/assets/js.js"></script> <script src="/githubissues/assets/markdown.js"></script> <script src="https://cdn.jsdelivr.net/gh/highlightjs/cdn-release@11.4.0/build/highlight.min.js"></script> <script src="https://cdn.jsdelivr.net/gh/highlightjs/cdn-release@11.4.0/build/languages/go.min.js"></script> <script> hljs.highlightAll(); </script> </body> </html>