search

monstra-cms / monstra

THIS PROJECT IS NOT SUPPORTED ANYMORE! Check FLEXTYPE.ORG
http://flextype.org
MIT License
396 stars 123 forks source link

404 page have Stored XSS Vulnerability #437

Open Waterpaste opened 6 years ago

Waterpaste commented 6 years ago

Stored-XSS reported #427(title section) &#435 (content section) &#436(title section) I found another stored-XSS in 404page(name field),the Vulnerability source in monstra-3.0.4/plugins/box/pages/pages.admin.php.

Affected Version:

3.0.4 or before

Payload: <a href="javascript:alert(/xss/)">xss</a>

Steps to replicate:

  1. Goto http:///monstra/admin/index.php?id=pages
  2. Click Edit 404 page(http:///monstra/admin/index.php?id=pages&action=edit_page&name=error404)
  3. Enter payload in title section and save
  4. Visit http:///monstra/bilibili.php
  5. You will triage Javascript execution

Impacts: A user with editor level privileges can make JavaScript code execution in admin's session.

Testing Environment: PHP/5.5.38 + Apache/2.4.23