Description
Two Stored-XSS reported #427(title section) and #435 (content section)
I found another Stored-XSS lie in Name filed in the same page (monstra-3.0.4/plugins/box/pages/pages.admin.php)
Steps to reproduce:
1、Login monstra http://127.0.0.1/monstra-3.0.4/admin/index.php
2、Then, visit http://127.0.0.1/monstra-3.0.4/admin/index.php?id=pages
3、Click Create New Page button to create a new page
4、Fill in Name field with payload
<script>alert(document.cookie)</script>
5、Save and Exit
6、visit the page you just created, then Stored-XSS will be triggered
Impacts:
Anyone who visit the target page will trigger JavaScript code execution, including administrator, editor, and guest.
Affected Version:
3.0.4 or before
Affected URL:
http://<your_site>/monstra/blog/<page_name>.php
Testing Environment:
Win7 with XAMPP: Apache/2.4.23 、 PHP Version 5.6.28
Analysis
vulnerable page :
https://github.com/monstra-cms/monstra/blob/dev/plugins/box/pages/pages.admin.php
line 222-233 all post data without any sanitization, just add and display
Add page and edit page are vulnerable.
Mitigation:
Filter user input ,please refer #427