Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

I have find a Reflected XSS vulnerability in this project #2

Closed
jgj212 opened this issue Mar 4, 2017 · 9 comments
Closed

I have find a Reflected XSS vulnerability in this project #2

jgj212 opened this issue Mar 4, 2017 · 9 comments

Comments

@jgj212
Copy link

jgj212 commented Mar 4, 2017

Hello:
I have find a Reflected XSS vulnerability in this project.

The vulnerability exists due to insufficient filtration of user-supplied data in "action" HTTP parameter that will be passed to "FineCMS-master\index.php". The infected source code is line 46, there is no protection on $_GET['action']; if $_GET['action'] contains evil js code, line 48 will trigger untrusted code to be executed on the browser side.
code1
code2
code3

So if a attacker construct a special url as follow and send it to a victim, when the victim click the url, the code which is contained in the url will be executed on the victim's browser side to do some evil.
http://your-web-root/FineCMS-master/index.php?action="><script>alert(1);</script><"

The follow scrrenshot is the result to click the upper url ( win7 spq x64 + firefox 51.0.1 32bit ):
sc

Discoverer: ADLab of Venustech

@danfolt
Copy link

danfolt commented Mar 4, 2017

Hi jgj212, I am not author of the script, but I also use this very nice script, do You also have suggestions to the author how to protect that part of the code?

@jgj212
Copy link
Author

jgj212 commented Mar 4, 2017

Oh, my god. i make a mistake in the issue. The infected module is "FineCMS-master\index.php", which will pass the http parameter to application.php with no security checking. Do you mean that the application.php is not developmented by you? @danfolt

@danfolt
Copy link

danfolt commented Mar 4, 2017

You didn' make a mistake, https://github.com/andrzuk (author) can see it from your screenshots that the issue is in index.php passing parameters to application.php, I tried that malicious url and you are right, and yes I have not developed anything here on that script.

@jgj212
Copy link
Author

jgj212 commented Mar 4, 2017

Oh, you are a user of FineCMS? I am sorry, i thought you are the author of this CMS just now. The protection is just to checking parameter before pass to application.php. @danfolt

@danfolt
Copy link

danfolt commented Mar 4, 2017

Yes, I am only a user of this script, (still not as good as to be a real developer), but as I've seen your detailed description of the issue I had a feeling that You also already have a solution.

@andrzuk
Copy link
Owner

andrzuk commented Mar 6, 2017

jgj212, thank you for pointing this vulnerability. I have just fixed it by adding strip_tags() filtration.

@jgj212
Copy link
Author

jgj212 commented Mar 6, 2017

@andrzuk tks, i got it

@danfolt
Copy link

danfolt commented Mar 6, 2017

@andrzuk I have made the changes in all four files and when I insert jgj212 javascript code into URL, I still see that alert, is it ok to see it? When I insert that in any other website it redirects me to 404 page not found

@andrzuk
Copy link
Owner

andrzuk commented Mar 6, 2017

Daniel, download again whole project and copy updated files to your hosting. I tested it and this link should generate such message:

js_test

instead of running java script code.

@jgj212 jgj212 closed this as completed Mar 24, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants