Skip to content

Stored XSS Vulnerability(Need Authentication) #436

Closed
@starnightcyber

Description

@starnightcyber

Two Stored-XSS reported #427(title section) and #435 (content section)
I found another Stored-XSS lie in Name filed in the same page (monstra-3.0.4/plugins/box/pages/pages.admin.php)

Steps to reproduce:
1、Login monstra http://127.0.0.1/monstra-3.0.4/admin/index.php
2、Then, visit http://127.0.0.1/monstra-3.0.4/admin/index.php?id=pages
3、Click Create New Page button to create a new page
4、Fill in Name field with payload
<script>alert(document.cookie)</script>
5、Save and Exit
6、visit the page you just created, then Stored-XSS will be triggered

Impacts:
Anyone who visit the target page will trigger JavaScript code execution, including administrator, editor, and guest.

Affected Version:
3.0.4 or before

Affected URL:
http://<your_site>/monstra/blog/<page_name>.php

Testing Environment:
Win7 with XAMPP: Apache/2.4.23 、 PHP Version 5.6.28

Analysis
vulnerable page :
https://github.com/monstra-cms/monstra/blob/dev/plugins/box/pages/pages.admin.php
line 222-233 all post data without any sanitization, just add and display
Add page and edit page are vulnerable.

Mitigation:
Filter user input ,please refer #427

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions