Hello, I found that there are some problems with Fiyo CMS, hoping to help you and your work
dapurappsapp_configsys_config.php $_POST[site_name] variable exists Storage XSS vulnerability
125 if(isset($_POST['config_save'])) {
126: if(empty($_POST['site_name']) AND empty($_POST['site_title']) AND empty($_POST['site_url']) AND empty($_POST['site_status']) AND empty($_POST['site_title']) AND empty($_POST['file_allowed']) AND empty($_POST['file_size']))
127 {
128 notice('error','invalid');
...
161 * Query configuration
162 */
163: $qr=$db->update(FDBPrefix."setting",array('value'=>"$_POST[site_name]"),"name='site_name'");
164 $qr=$db->update(FDBPrefix."setting",array('value'=>"$_POST[title]"),"name='site_title'");
165 $qr=$db->update(FDBPrefix."setting",array('value'=>"$_POST[url]"),"name='site_url'");'$_POST[site_name]' is not filtered,and Write directly to the database
and then
dapurappsapp_configgeneral.php
29 <table>
30 <tr>
31: <td class="row-title"><span class="tips" title="<?php echo Site_Name_tip; ?>" width="40%"> <?php echo Site_Name; ?></td>
32: <td><input type="text" name="site_name" size="30" value="<?php echo siteConfig('site_name'); ?>" required></td>
33 </tr>It does not do any filtering, directly the ’site_name‘ output page
So when i set the 'site_name' to xss payload,there is a storage xss
[Discoverer]
hi-building
Use CVE-2017-13778.
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
