You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There is a storage XSS vulnerability in ThinkSAAS 3.7.0. The vulnerability occurs in the "back-plug-management-statistics code plug-in", where modifying the statistics code does not require CSRF validation, so an attacker can construct a form that allows an administrator to propose the addition of the statistics code. The plugins/edit/pubs/counter.php is not right
code is strictly filtered, so every time an administrator accesses index.php?app=pubs&ac=plugin&plugin=counter&in=edit&ts=set, the page edit_set.html that directly references the variable {$code} triggers a stored XSS vulnerability. If the statistics code plug-in is turned on, then all users accessing the website will trigger the stored XSS vulnerability on any page.Because, according to the plugins/pubs/counter/counter.php logic, {$code} will be inserted into the all pages.
Details
<?php
defined('IN_TS') or die('Access Denied.');
//插件编辑
switch($ts){
case "set":
$strAbout = fileRead('plugins/pubs/counter/about.php');
$code = fileRead('data/plugins_pubs_counter.php');
if($code==''){
$code = $tsMySqlCache->get('plugins_pubs_counter');
}
$code = stripslashes($code);
include template('edit_set','counter');
break;
case "do":
$code = tsTrim($_POST['code']);
fileWrite('plugins_pubs_counter.php','data',$code);
$tsMySqlCache->set('plugins_pubs_counter',$code);
header('Location: '.SITE_URL.'index.php?app=pubs&ac=plugin&plugin=counter&in=edit&ts=set');
break;
}
As above, the plugins/pubs/counter/edit. PHP in modified statistical code have no code in the tag </textarea> filtering, so that the follow-up in edit_set.html rendering {$code}, The </textarea> closing the <textarea> tag causes the $code that should be inside the textarea tag to be outside the tag.
Summary
There is a storage XSS vulnerability in ThinkSAAS 3.7.0. The vulnerability occurs in the "back-plug-management-statistics code plug-in", where modifying the statistics code does not require CSRF validation, so an attacker can construct a form that allows an administrator to propose the addition of the statistics code. The plugins/edit/pubs/counter.php is not right
code is strictly filtered, so every time an administrator accesses index.php?app=pubs&ac=plugin&plugin=counter&in=edit&ts=set, the page edit_set.html that directly references the variable {$code} triggers a stored XSS vulnerability.
If the statistics code plug-in is turned on, then all users accessing the website will trigger the stored XSS vulnerability on any page.Because, according to the plugins/pubs/counter/counter.php logic, {$code} will be inserted into the all pages.
Details
As above, the plugins/pubs/counter/edit. PHP in modified statistical code have no code in the tag
</textarea>filtering, so that the follow-up in edit_set.html rendering {$code}, The</textarea>closing the<textarea>tag causes the$codethat should be inside the textarea tag to be outside the tag.Proof of Concept (POC)
The text was updated successfully, but these errors were encountered: