Cross-site Scripting (XSS) in bigtreecms 4.2.18

[xfkxfk]

Multiple Security Issue of XSS exists in BigTree CMS Less than 4.2.18

FILE：

\BigTree-CMS-4.2.18\core\admin\modules\developer\extensions\install\unpack.php
// Read the manifest
$json = json_decode(file_get_contents($cache_root."manifest.json"),true);
......
<h2>
	<?=$json["title"]?> <?=$json["version"]?>
	<small>by <?=$json["author"]["name"]?></small>
</h2>

title、version、author_name not filter by htmlspecialchars() function

POC：
in url：
http://127.0.0.1/BigTree-CMS-4.2.18/site/index.php/admin/developer/extensions/install/
upload xfkxfk.zip，there is manifest.json in xfkxfk.zip

{
    "type": "extension",
    "id": "xfkxfk",
    "version": "",
    "revision": 1,
    "compatibility": "xfkxfk",
    "title": "xfkxfk<img src =1 onerror=alert(/xss/)>",
    "description": "",
......

when upload xfkxfk.zip successful, result in a xss vuln
(you can also build-extensions, then download extensions, final modify extension and install it)

other file exists xss vuln too，for example：
\BigTree-CMS-4.2.18\core\admin\modules\developer\packages\install\unpack.php

please use htmlspecialchars() function to filter all params~

thank you~
email ： xfkxfk@secbook.net

[timbuckingham]

I wouldn't consider this XSS as there's no other site involved (and hence it can't be executed without the user uploading a malicious package). I have setup those fields to be escaped, though!

[xfkxfk]

If you install a package or extension containing malicious content, then you will be xssed, so you have to filter the fields you need to display, Rather than displayed directly.
for example:

<h2>
	<?=htmlspecialchars($json["title"])?> <?=htmlspecialchars($json["version"])?>
	<small>by <?=htmlspecialchars($json["author"]["name"])?></small>
</h2>