Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
GilaCMS XSS (latest version below 2.1.0)

Glia CMS official Github: https://github.com/GilaCMS/gila

Gila CMS official website: https://gilacms.com

Latest version: 2.1.0 (https://github.com/GilaCMS/gila/tree/123e4f2258059185510994232461aafc921553de), as to 03/06/2021.

Vulnerability 1: Reflected XSS through fm/upload endpoint with filename parameter.

Vulnerable code at uploadAction function in src/core/controllers/FMController.php:

for ($i=0; $i<count($tmp_file); $i++) {
      if (!FileManager::allowedFileType($name[$i])) {
        die("Error: File type {$name[$i]} is not accepted!");
      }
      if (!move_uploaded_file($tmp_file[$i], SITE_PATH.$path.'/'.$name[$i])) {
        die("Error: could not upload file!");
      }
    }

The filename $name is not properly filtered. Attacker with file upload access can upload a file with a disallowed extension (.php, etc.) that contains xss payload, for example "><svg onload=alert(1)>".py to trigger the target code block. This results in a reflected XSS. Sample demo in the following gif (gila_reflected_xss.gif).

Vulnerability 2: Stored XSS through fm/dir endpoint.

The vulnerable code block is at dirAction() function in src/core/controllers/FMController.php:

  public function dirAction()
  {
    \\ some codes here
    
    $folderinfo['files'] = $filelist;
    $folderinfo['path'] = $this->relativePath;
    echo json_encode($folderinfo);
  }

In short, the above function returns the files information of the requested folder in a json format:

{files: [{'name': 'file1', 'size':1, 'mtime': 'time', 'mode': mode, 'ext': '.txt'}, {file2, ....}, ...], 'path': 'log'}

When uploading a file, the attacker can control the filename variable. The attacker can upload a file with valid file extension but a malicious filename, such as "><svg onload=alert(1)>".txt to the directory that he has access to, for example './log/'. Later when any other user access the webpage to browse the files in this folder through fm/dir?path=log endpoint, the stored XSS content is triggered. This can be shown in the following (gila_stored_xss.gif).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment