Closed Songohan22 closed 4 years ago
Both already fixed in version 2.9.1, check out the new version released today. Thank you Songohan22.
@NavigateCMS Nice...:D
Hi @NavigateCMS
Cross Site Scripting Vulnerability funcition "tracking_script, mail_mailer[], language-variant-code[], language-locale[2], language-locale[1], language-id[2], language-id[1], file-name, comment_default_moderator, additional_styles, additional_scripts " feature in NavigateCMS 2.9
I think you fix it soon.
Can you provide an example for the fields additional_styles, additional_scripts and tracking_script? Thank you.
tracking_ script Request: POST /navigate/navigate.php?fid=websites&act=edit HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Referer: http://192.168.137.6:8765/navigate/navigate.php?fid=websites&act=edit Cookie: navigate-tinymce-scroll=%7B%7D; PHPSESSID=r4pvjbe2eajff189vnug6ih0dl; NVSID_139cd01d0866df27=r4pvjbe2eajff189vnug6ih0dl; navigate-language=en Connection: Keep-Alive Host: 192.168.137.6:8765 X-Csrf-Token: cbc497d231626fdaf0f20f572629c51d95b330bd2feab29e1e8cae293b28f45f Content-Length: 4481 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US Content-Type: multipart/form-data; boundary=
Content-Disposition: form-data; name="form-sent"
true
Content-Disposition: form-data; name="_nv_csrf_token"
00bf0473071bad58ae4f739a3a78db9412fa1409c556f09e428d545d158d307d
Content-Disposition: form-data; name="id"
Content-Disposition: form-data; name="title"
1234
Content-Disposition: form-data; name="protocol"
https://
Content-Disposition: form-data; name="subdomain"
1234
Content-Disposition: form-data; name="domain"
1234
Content-Disposition: form-data; name="folder"
1234
Content-Disposition: form-data; name="homepage_from_structure"
Content-Disposition: form-data; name="homepage"
25
Content-Disposition: form-data; name="wrong_path_action"
http_404
Content-Disposition: form-data; name="wrong_path_redirect"
Content-Disposition: form-data; name="empty_path_action"
theme_404
Content-Disposition: form-data; name="permission"
1 _ Content-Disposition: form-data; name="redirect_to"
1234
Content-Disposition: form-data; name="languages-order"
Content-Disposition: form-data; name="language-id[1]"
en
Content-Disposition: form-data; name="language-code[]"
25
Content-Disposition: form-data; name="language-variant[]"
1
Content-Disposition: form-data; name="language-variant-code[]"
25
Content-Disposition: form-data; name="language-locale[1]"
ENU_USA
Content-Disposition: form-data; name="language-published[]"
1
Content-Disposition: form-data; name="date_format"
Y-m-d
Content-Disposition: form-data; name="default_timezone"
UTC
Content-Disposition: form-data; name="website-decimal_separator"
.
Content-Disposition: form-data; name="website-thousands_separator"
,
Content-Disposition: form-data; name="website-default_currency"
usd
Content-Disposition: form-data; name="website-default_size_unit"
mm
Content-Disposition: form-data; name="website-default_weight_unit"
kg
Content-Disposition: form-data; name="word_separator"
_
Content-Disposition: form-data; name="resize_uploaded_images"
1600
Content-Disposition: form-data; name="website-favicon"
Content-Disposition: form-data; name="share_files_media_browser"
1
Content-Disposition: form-data; name="comments_enabled_for"
1
Content-Disposition: form-data; name="comments_default_moderator"
c_author
Content-Disposition: form-data; name="page_cache"
1
Content-Disposition: form-data; name="mail_mailer[]"
smtp
Content-Disposition: form-data; name="mail_server"
test@altoromutual.com
Content-Disposition: form-data; name="mail_port"
test@altoromutual.com
Content-Disposition: form-data; name="mail_security"
1
Content-Disposition: form-data; name="mail_ignore_ssl_security"
1
Content-Disposition: form-data; name="mail_user"
test@altoromutual.com
Content-Disposition: form-data; name="mail_address"
753 Main Street
Content-Disposition: form-data; name="mail_password"
test@altoromutual.com
Content-Disposition: form-data; name="contact_emails"
test@altoromutual.com
Content-Disposition: form-data; name="website_additional_code[]"
tracking_scripts
Content-Disposition: form-data; name="tracking_scripts"
1234
Content-Disposition: form-data; name="additional_scripts"
1234 Content-Disposition: form-data; name="additional_styles" 1234
additional_script Request: POST /navigate/navigate.php?fid=websites&act=edit HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Referer: http://192.168.137.6:8765/navigate/navigate.php?fid=websites&act=edit Cookie: navigate-tinymce-scroll=%7B%7D; PHPSESSID=r4pvjbe2eajff189vnug6ih0dl; NVSID_139cd01d0866df27=r4pvjbe2eajff189vnug6ih0dl; navigate-language=en Connection: Keep-Alive Host: 192.168.137.6:8765 X-Csrf-Token: cbc497d231626fdaf0f20f572629c51d95b330bd2feab29e1e8cae293b28f45f Content-Length: 4481 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US Content-Type: multipart/form-data; boundary=
Content-Disposition: form-data; name="form-sent"
true
Content-Disposition: form-data; name="_nv_csrf_token"
00bf0473071bad58ae4f739a3a78db9412fa1409c556f09e428d545d158d307d
Content-Disposition: form-data; name="id"
Content-Disposition: form-data; name="title"
1234
Content-Disposition: form-data; name="protocol"
https://
Content-Disposition: form-data; name="subdomain"
1234
Content-Disposition: form-data; name="domain"
1234
Content-Disposition: form-data; name="folder"
1234
Content-Disposition: form-data; name="homepage_from_structure"
Content-Disposition: form-data; name="homepage"
25
Content-Disposition: form-data; name="wrong_path_action"
http_404
Content-Disposition: form-data; name="wrong_path_redirect"
Content-Disposition: form-data; name="empty_path_action"
theme_404
Content-Disposition: form-data; name="permission"
1
Content-Disposition: form-data; name="redirect_to"
1234
Content-Disposition: form-data; name="languages-order"
Content-Disposition: form-data; name="language-id[1]"
en
Content-Disposition: form-data; name="language-code[]"
25
Content-Disposition: form-data; name="language-variant[]"
1
Content-Disposition: form-data; name="language-variant-code[]"
25
Content-Disposition: form-data; name="language-locale[1]"
ENU_USA
Content-Disposition: form-data; name="language-published[]"
1
Content-Disposition: form-data; name="date_format"
Y-m-d
Content-Disposition: form-data; name="default_timezone"
UTC
Content-Disposition: form-data; name="website-decimal_separator"
.
Content-Disposition: form-data; name="website-thousands_separator"
,
Content-Disposition: form-data; name="website-default_currency"
usd
Content-Disposition: form-data; name="website-default_size_unit"
mm
Content-Disposition: form-data; name="website-default_weight_unit"
kg --AppScanBoundaryContent-Disposition: form-data; name="word_separator"
_
Content-Disposition: form-data; name="resize_uploaded_images"
1600
Content-Disposition: form-data; name="website-favicon"
Content-Disposition: form-data; name="share_files_media_browser"
1
Content-Disposition: form-data; name="comments_enabled_for"
1
Content-Disposition: form-data; name="comments_default_moderator"
c_author
Content-Disposition: form-data; name="page_cache"
1
Content-Disposition: form-data; name="mail_mailer[]"
smtp
Content-Disposition: form-data; name="mail_server"
test@altoromutual.com
Content-Disposition: form-data; name="mail_port"
test@altoromutual.com
Content-Disposition: form-data; name="mail_security"
1
Content-Disposition: form-data; name="mail_ignore_ssl_security"
1
Content-Disposition: form-data; name="mail_user"
test@altoromutual.com
Content-Disposition: form-data; name="mail_address"
753 Main Street
Content-Disposition: form-data; name="mail_password"
test@altoromutual.com
Content-Disposition: form-data; name="contact_emails"
test@altoromutual.com
Content-Disposition: form-data; name="website_additional_code[]"
tracking_scripts
Content-Disposition: form-data; name="tracking_scripts"
1234
Content-Disposition: form-data; name="additional_scripts"
1234
Content-Disposition: form-data; name="additional_styles"
1234
additional_styles Request: POST /navigate/navigate.php?fid=websites&act=edit HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Referer: http://192.168.137.6:8765/navigate/navigate.php?fid=websites&act=edit Cookie: navigate-tinymce-scroll=%7B%7D; PHPSESSID=r4pvjbe2eajff189vnug6ih0dl; NVSID_139cd01d0866df27=r4pvjbe2eajff189vnug6ih0dl; navigate-language=en Connection: Keep-Alive Host: 192.168.137.6:8765 X-Csrf-Token: cbc497d231626fdaf0f20f572629c51d95b330bd2feab29e1e8cae293b28f45f Content-Length: 4481 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US Content-Type: multipart/form-data; boundary=
Content-Disposition: form-data; name="form-sent"
true
Content-Disposition: form-data; name="_nv_csrf_token"
00bf0473071bad58ae4f739a3a78db9412fa1409c556f09e428d545d158d307d
Content-Disposition: form-data; name="id"
Content-Disposition: form-data; name="title"
1234
Content-Disposition: form-data; name="protocol"
https://
Content-Disposition: form-data; name="subdomain"
1234
Content-Disposition: form-data; name="domain"
1234
Content-Disposition: form-data; name="folder"
1234
Content-Disposition: form-data; name="homepage_from_structure"
Content-Disposition: form-data; name="homepage"
25
Content-Disposition: form-data; name="wrong_path_action"
http_404
Content-Disposition: form-data; name="wrong_path_redirect"
Content-Disposition: form-data; name="empty_path_action"
theme_404
Content-Disposition: form-data; name="permission"
1
Content-Disposition: form-data; name="redirect_to"
1234
Content-Disposition: form-data; name="languages-order"
Content-Disposition: form-data; name="language-id[1]"
en
Content-Disposition: form-data; name="language-code[]"
25
Content-Disposition: form-data; name="language-variant[]"
1
Content-Disposition: form-data; name="language-variant-code[]"
25
Content-Disposition: form-data; name="language-locale[1]"
ENU_USA
Content-Disposition: form-data; name="language-published[]"
1
Content-Disposition: form-data; name="date_format"
Y-m-d
Content-Disposition: form-data; name="default_timezone"
UTC
Content-Disposition: form-data; name="website-decimal_separator"
.
Content-Disposition: form-data; name="website-thousands_separator"
,
Content-Disposition: form-data; name="website-default_currency"
usd
Content-Disposition: form-data; name="website-default_size_unit"
mm
Content-Disposition: form-data; name="website-default_weight_unit"
kg
Content-Disposition: form-data; name="word_separator"
_
Content-Disposition: form-data; name="resize_uploaded_images"
1600
Content-Disposition: form-data; name="website-favicon"
Content-Disposition: form-data; name="share_files_media_browser"
1
Content-Disposition: form-data; name="comments_enabled_for"
1
Content-Disposition: form-data; name="comments_default_moderator"
c_author
Content-Disposition: form-data; name="page_cache"
1
Content-Disposition: form-data; name="mail_mailer[]"
smtp
Content-Disposition: form-data; name="mail_server"
test@altoromutual.com
Content-Disposition: form-data; name="mail_port"
test@altoromutual.com
Content-Disposition: form-data; name="mail_security"
1
Content-Disposition: form-data; name="mail_ignore_ssl_security"
1
Content-Disposition: form-data; name="mail_user"
test@altoromutual.com
Content-Disposition: form-data; name="mail_address"
753 Main Street
Content-Disposition: form-data; name="mail_password"
test@altoromutual.com
Content-Disposition: form-data; name="contact_emails"
test@altoromutual.com
Content-Disposition: form-data; name="website_additional_code[]"
tracking_scripts
Content-Disposition: form-data; name="tracking_scripts"
1234
Content-Disposition: form-data; name="additional_scripts"
1234
Content-Disposition: form-data; name="additional_styles"
1234
Fixed by 33ef8dffad685576db3b31ae6afc83b619c918f8 and 652c55f6dd6aa23f71d7ef34ac59dbd6e4ebf765
Describe the bug An authenticated malicious user can take advantage of a Reflected XSS vulnerability on funciton "fid" feature in NavigateCMS 2.9 To Reproduce Steps to reproduce the behavior:
I think you fix it soon