GetSimpleCMS 3.3.15 mul vuls
any url redirection in function redirect
in function redirect,we will redirect to parameter $url without any check
function redirect($url) {
global $i18n;
// handle expired sessions for ajax requests
if(requestIsAjax() && !cookie_check()){
header('HTTP/1.1 401 Unauthorized', true, 401);
header('WWW-Authenticate: FormBased');
die();
}
if (!headers_sent($filename, $linenum)) {
header('Location: '.$url);
} else {
echo "<html><head><title>".i18n_r('REDIRECT')."</title></head><body>";
if ( !isDebug() ) {
echo '<script type="text/javascript">';
echo 'window.location.href="'.$url.'";';
echo '</script>';
echo '<noscript>';
echo '<meta http-equiv="refresh" content="0;url='.$url.'" />';
echo '</noscript>';
}
echo i18n_r('ERROR').": Headers already sent in ".$filename." on line ".$linenum."\n";
printf(i18n_r('REDIRECT_MSG'), $url);
echo "</body></html>";
}
exit;
}
if we can control parameter $url, we can lead any url redirection.
just like line 206 in /admin/changedata.php,parameter $redirect_url input from $_POST['redirectto'] without any check.
so if we set $redirect_url and we can redirect to any url.
Limited Reflective xss in function redirect
in function redirect, if we can control the part of parameter $redirect_url and function headers_sent return True. the parameter $url will be spliced into javascript script.
we can use double quote to escape and execute any javascript script.
if we can control parameter $url, we can lead Reflective xss.
just like line 206 in /admin/changedata.php,parameter $redirect_url input from $_POST['redirectto'] without any check.
Reflective xss in /admin/settings.php
in /admin/settings.php we can set website setting for GetSempleCMS, the parameter $TIMEZONE will be set from $_POST without any filter.
we can use double quote to escape and execute any javascript script.
Reflective xss in /admin/setup.php
in /admin/setup.php we should input sitename、username、email to setup website. but if any error in the installation, these three parameters will be returned back to the page without any filter.
we can use double quote to escape and execute any javascript script.







