search

XiaoZhis / ProjectSend

0 stars 0 forks source link

CMS Made Simple xss #2

Open XiaoZhis opened 7 years ago

XiaoZhis commented 7 years ago

USE CVE-2017-9668

when adding a user group, there is no XSS filtering, resulting in storage-type XSS generation, via the description parameter in an addgroup action.

code: $CMS_ADMIN_PAGE=1;

require_once("../lib/include.php"); require_once("../lib/classes/class.group.inc.php"); $urlext='?'.CMS_SECURE_PARAM_NAME.'='.$_SESSION[CMS_USER_KEY];

check_login();

$error = "";

$group= ""; if (isset($_POST["group"])) $group = $_POST["group"];

$description= ""; if (isset($_POST["description"])) $description = $_POST["description"];

$active = 1; if (!isset($_POST["active"]) && isset($_POST["addgroup"])) $active = 0;

if (isset($_POST["cancel"])) { redirect("listgroups.php".$urlext); return; }

$userid = get_userid(); $access = check_permission($userid, 'Manage Groups');

if ($access) { if (isset($_POST["addgroup"])) { try { if ($group == '') throw new \CmsInvalidDataException(lang('nofieldgiven', lang('groupname')));

        $groupobj = new Group();
        $groupobj->name = $group;
        $groupobj->description = $description;
        $groupobj->active = $active;

        Events::SendEvent('Core', 'AddGroupPre', array('group' => &$groupobj));

        $result = $groupobj->save();
        if( !$result ) throw new \RuntimeException(lang('errorinsertinggroup'));

        Events::SendEvent('Core', 'AddGroupPost', array('group' => &$groupobj));
        // put mention into the admin log
        audit($groupobj->id, 'Admin User Group: '.$groupobj->name, 'Added');
        redirect("listgroups.php".$urlext);
        return;
    }
    catch( \Exception $e ) {
        $error .= '<li>'.$e->GetMessage().'</li>';
    }
}

}

User & group -> group

222

111