Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XSS(Stored) in MineWebCMS_v1.7.0 #123

Closed
Ryan0lb opened this issue Mar 18, 2019 · 5 comments
Closed

XSS(Stored) in MineWebCMS_v1.7.0 #123

Ryan0lb opened this issue Mar 18, 2019 · 5 comments

Comments

@Ryan0lb
Copy link

Ryan0lb commented Mar 18, 2019

Affected software:MineWebCMS_v1.7.0
Type of vulnerability: XSS (Stored)
Discovered by: Ryan0lb

details:
Open this url “http://127.0.0.1/admin/“ and login in
image
and Click the "Customization" and view the News
we can add a new article
image
We can control this parameter via "title",and we can insert the payload:"<script>alert("test")</script>" in title
image
finally,submit!
The malicious javascript payload executed for it successlly
image
and open the article's url:"http://127.0.0.1/blog/1-php",The malicious javascript payload executed for it successlly too
image
Without any filtering on publish the article, we can easily trigger malicious XSS Payload and attack every visitor maliciously.

@Eywek
Copy link
Member

Eywek commented Mar 18, 2019

Hello,
Thank’s for the report. But this is a deliberate behavior. Users should be able to use html tags on news (and pages...). Also, I don’t think this is a critical vulnerability. Indeed, the administrator can already access users account via the admin dashboard or he can upload whatever he want on his website.

@Ryan0lb
Copy link
Author

Ryan0lb commented Mar 18, 2019

Hi,friend
as a Penetration tester,Maybe we can get the account of admin by some ways,For example,we can use the weak password to get administrative privileges for someone use our's cms,
Then execute malicious code by XSS, to execute phishing attacks, and to obtain private information from other viewers.
thanks for your reply!
Many thanks!

@Eywek
Copy link
Member

Eywek commented Mar 18, 2019

And what informations can you get that you don't already have via the admin account?

@Ryan0lb
Copy link
Author

Ryan0lb commented Mar 18, 2019

Hi,
attackers can Implante malicious mining script,Digging on the viewer's machine, during he did not close the browser。
Many thanks!

@Cristian-Bejan
Copy link

Are these security vulnerabilities fixed?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

3 participants