You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi guys, wonderful work on the CMS! I found a security issue on the website's name in the admin settings:
Stored cross-site scripting (XSS) vulnerability in the "Website's name" field found in the "Settings" page under the "General" menu in WityCMS 0.6.1 allows remote attackers to inject arbitrary web script or HTML via a crafted website name by doing an authenticated POST HTTP request to WityCMS/admin/settings/general.
This vulnerability is specifically the "Website's name" field. I noticed that it does strip off the tags <script> and </script> however, it isn't recursive. By entering this payload:
<scri<script>pt>alert(1)</scri</script>pt>
Javascript gets executed. Here's an output of the mentioned payload when entered and saved.
The payload gets saved in the file: /system/config/config.php as a raw Javascript code:
When an unauthenticated user visits the page, the code gets executed:
If the data is not sanitized upon input, these components are going to return arbitrary web script or HTML that can be rendered by the browser because it retrieves the script, hence, the possible "Affected Components" are as follow:
-Potentially all scripts using: /apps/user/front/lang/en.xml
-Potentially all scripts using: /apps/user/front/lang/fr.xml
-/apps/settings/admin/templates/general.html
-/apps/user/front/main.php
-/cache/templates/apps-settings-admin-templates-general.php
There may be more but I believe this can be fixed by recursively stripping out the tags <script> and </script>
The text was updated successfully, but these errors were encountered:
Just to follow up. I can confirm that this commit fixes the problem: 7967e5b however, the problem still exists in the latest release 0.6.1 so I guess it's now best to push the 0.6.2 update? Thanks a lot!
Hi guys, wonderful work on the CMS! I found a security issue on the website's name in the admin settings:
Stored cross-site scripting (XSS) vulnerability in the "Website's name" field found in the "Settings" page under the "General" menu in WityCMS 0.6.1 allows remote attackers to inject arbitrary web script or HTML via a crafted website name by doing an authenticated POST HTTP request to WityCMS/admin/settings/general.
This vulnerability is specifically the "Website's name" field. I noticed that it does strip off the tags <script> and </script> however, it isn't recursive. By entering this payload:
<scri<script>pt>alert(1)</scri</script>pt>
Javascript gets executed. Here's an output of the mentioned payload when entered and saved.
The payload gets saved in the file: /system/config/config.php as a raw Javascript code:
When an unauthenticated user visits the page, the code gets executed:
If the data is not sanitized upon input, these components are going to return arbitrary web script or HTML that can be rendered by the browser because it retrieves the script, hence, the possible "Affected Components" are as follow:
-Potentially all scripts using: /apps/user/front/lang/en.xml
-Potentially all scripts using: /apps/user/front/lang/fr.xml
-/apps/settings/admin/templates/general.html
-/apps/user/front/main.php
-/cache/templates/apps-settings-admin-templates-general.php
There may be more but I believe this can be fixed by recursively stripping out the tags
<script>
and</script>
The text was updated successfully, but these errors were encountered: