Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reflected XSS attack with navigate-quickse parameter and affect many modules in NavigateCMS 2.9 #24

Closed
hydrasky-team opened this issue Jun 22, 2021 · 1 comment

Comments

@hydrasky-team
Copy link

EXPECTED BEHAVIOUR
An authenticated malicious user can take advantage of a Reflected XSS vulnerability with navigate-quickse parameter in URL and affect many modules.

IMPACT
Commonly include transmitting private data, like cookies or other session information, to the attacker, redirecting the victim to web content controlled by the attacker, or performing other malicious operations on the user’s machine under the guise of the vulnerable site.

VULNERABILITY CODE
I found the vulnerability code in many files. Because initial_url is built in these files.

lib\packages\backups\backups.php
lib\packages\blocks\blocks.php
lib\packages\brands\brands.php
lib\packages\comments\comments.php
lib\packages\coupons\coupons.php
lib\packages\feeds\feeds.php
lib\packages\functions\functions.php
lib\packages\items\items.php
lib\packages\menus\menus.php
lib\packages\orders\orders.php
lib\packages\payment_methods\payment_methods.php
lib\packages\products\products.php
lib\packages\profiles\profiles.php
lib\packages\shipping_methods\shipping_methods.php
lib\packages\templates\templates.php
lib\packages\users\users.php
lib\packages\webdictionary\webdictionary.php
lib\packages\websites\websites.php
lib\packages\webusers\webusers.php

image

After that initial_url is used in \lib\layout\navitable.class.php file to build HTML.

image

STEPS TO REPRODUCE

  1. We change the request and send the link to user

GET /navigate-2.9.3r1525/navigate/navigate.php?fid=websites&act=list&quicksearch=true&navigate-quicksearch=0"})%3b+alert("XSS")%3b$("%23websites_list").jqGrid({//

image

  1. People who already login and click to the link above.

  2. When loading the page then the Reflected XSS is executed.

image

@NavigateCMS
Copy link
Owner

Fixed by 466e1f8

Thank you for all @hydrasky-team

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants