Headline
CVE-2023-37657: [Warning] Stored XSS in TwoNav v2.0.28-20230624 · Issue #3 · tznb1/TwoNav
TwoNav v2.0.28-20230624 is vulnerable to Cross Site Scripting (XSS).
Vulnerability Product:TwoNav v2.0.28-20230624
Vulnerability version: v2.0.28-20230624
Vulnerability type: Stored XSS
Vulnerability Details:
Vulnerability location:add header 、"/index.php?c=api&method=read_data&type=phpinfo&u=admin"
The default settings allowing free register, causes stored XSS
the Stored XSS payload could let admin call phpinfo(); and bypassing the http-only , causes disclosure of cookies、root path of websites、variables of PHP and stuff
firstly , register an account at http://localhost/?c=login,
account : test
password : test
then go to "站点设置",
because of the http-only, you need to let admin call phpinfo(), the api is this : http://localhost/index.php?c=api&method=read_data&type=phpinfo&u=admin
enter the payload at the input of "头部(header)代码 - 用户", :
payload:
<script src="http://cdn.bootcss.com/jquery/1.11.0/jquery.min.js" type="text/javascript"></script> <script> $.ajax({ url: '/index.php?c=api&method=read_data&type=phpinfo&u=admin’, type: 'get’, success: function (data) { console.log(data); } }) </script>
and click “保存”
after it , when an admin enter the page "http://localhost/?u=test", the page will automatically get phpinfo and call console.log() print it
(Certainly you can update the payload to send phpinfo to your server, console log is a test)
finally ,we download phpinfo and open it in html ,
here is large number of cookies was disclosed, and root path of website
proved Stored XSS
discovered by leeya_bug