125if(isset($_POST['config_save'])) {
126: if(empty($_POST['site_name']) AND empty($_POST['site_title']) AND empty($_POST['site_url']) AND empty($_POST['site_status']) AND empty($_POST['site_title']) AND empty($_POST['file_allowed']) AND empty($_POST['file_size']))
127 {
128 notice('error','invalid');
...161 * Query configuration
162 */
163: $qr=$db->update(FDBPrefix."setting",array('value'=>"$_POST[site_name]"),"name='site_name'");
164$qr=$db->update(FDBPrefix."setting",array('value'=>"$_POST[title]"),"name='site_title'");
165$qr=$db->update(FDBPrefix."setting",array('value'=>"$_POST[url]"),"name='site_url'");
'$_POST[site_name]' is not filtered,and Write directly to the database
Hello, I found that there are some problems with Fiyo CMS, hoping to help you and your work
dapur\apps\app_config\sys_config.php $_POST[site_name] variable exists Storage XSS vulnerability
'$_POST[site_name]' is not filtered,and Write directly to the database
and then
dapur\apps\app_config\general.php
It does not do any filtering, directly the ’site_name‘ output page
So when i set the 'site_name' to xss payload,there is a storage xss

The text was updated successfully, but these errors were encountered: