The function of this file is to Modify personal information,but it don't Verify whether the operation is legal.
Through it attackers can modify admin's password ,mail,phone and head-image.
Throught it can delete Any member and administrator just by modify the 'id' that in Url.
Delete the Account number of administrator just need to modify the id as '1'.
And other operations of delete are exist on this cms. Just give the positions,don't prove.
Reflected XSS in App/Team/GET/Repoort.php
In the method of extract, the CSRF also exist , but this is to prove the Rdflected XSS,not CSRF.
In line 72-78 , the data from $_GET('begin') and $_GET('end') is transfer to variables, and output in pages.
Proof of Concept(PoC)
localhost/pescms/Public/?g=Team&m=Report&a=extract&begin="onmouseover=alert(1)//&end=&user=0
or
localhost/pescms/Public/?g=Team&m=Report&a=extract&begin=&end="onmouseover=alert(1)//&user=0
or,page:
http://localhost/pescms/Public/?g=Team&m=Report&a=allExtract&begin="onmouseover=alert(1)//&end=&user=0
In this page ,Reflected XSS can be combined with CSRF,this will cause bigger destruction
Cross Site Request Forgery(CSRF)-1
modify admin's password ,mail,phone and head-image.
Technical Description: file :
pescms/App/Team/PUT/User.php
The function of this file is to Modify personal information,but it don't Verify whether the operation is legal. Through it attackers can modify admin's password ,mail,phone and head-image.
Proof of Concept(PoC)
Success.And the password of admin has been modify.
Cross Site Request Forgery(CSRF)-2
Delete the administrator and other member's account number
Technical Description: file:
Throught it can delete Any member and administrator just by modify the 'id' that in Url. Delete the Account number of administrator just need to modify the id as '1'.
Proof of Concept(PoC)
Visit this page of poc:
We refresh the list of user ,that find that the user that called light is deleted.
Cross Site Request Forgery(CSRF)-3
Delete import information
Technical Description: file:
Through CSRF to Delete important data is exist in these files.
ALL the delete operations are not verify in front page. Like this:
Proof of Concept(PoC)
refresh:
And other operations of delete are exist on this cms. Just give the positions,don't prove.
Reflected XSS in App/Team/GET/Repoort.php
In the method of extract, the CSRF also exist , but this is to prove the Rdflected XSS,not CSRF.
In line 72-78 , the data from $_GET('begin') and $_GET('end') is transfer to variables, and output in pages.
Proof of Concept(PoC)
In this page ,Reflected XSS can be combined with CSRF,this will cause bigger destruction