NoneCMS v1.3 has a CSRF vulnerability in public/index.php/admin/nav/add.html, as demonstrated by adding a navigation column which can be injected arbitrary web script or HTML via the name parameter to launch a stored XSS attack.
Vulnerability code is located in application\admin\controller\Nav.php:
NoneCMS v1.3 has a CSRF vulnerability in public/index.php/admin/nav/add.html, as demonstrated by adding a navigation column which can be injected arbitrary web script or HTML via the name parameter to launch a stored XSS attack.
Vulnerability code is located in application\admin\controller\Nav.php:
No CSRF token here.
We can also use BurpSuite as proxy to see that the public/index.php/admin/nav/add.html API doesn't use csrf-token:
So we can write the PoC as follows, csrf.html:
Before the administrator visits the malicious link, there are 7 columns in the custom navigation bar:
When the administrator visits the malicious link, the page will automatically click to trigger the CSRF attack:
Although the response status code returns 500, the navigation bar has been added successfully:
When back-end administrator accesses the background or the front-end user accesses the column, it will trigger xss attack:
The text was updated successfully, but these errors were encountered: