| Titolo | YzmCMS YzmCMS Content Management System V7.5 CWE-79 |
|---|
| Descrizione | YzmCMS Content Management System version V7.5 (Build 20260321) and prior versions contain a Host Header Injection vulnerability that leads to Cross-Site Scripting (XSS).
The vulnerability exists in /yzmphp/yzmphp.php at line 38, where the application directly uses the HTTP Host header value to define the HTTP_HOST constant without any validation
or sanitization:
define('HTTP_HOST', (isset($_SERVER['HTTP_HOST']) ? $_SERVER['HTTP_HOST'] : ''));
This constant is used throughout the application to generate all URL links on every page. The get_url() function in global.func.php uses it to construct URLs:
return SERVER_PORT . HTTP_HOST . $relate_url;
The SITE_URL constant is also derived from HTTP_HOST and used in all template files for navigation links, login URLs, form actions, and resource references.
Since the HTTP Host header is client-controlled, an attacker can inject arbitrary HTML and JavaScript by sending a crafted Host header. For example:
Host: "><img src=x onerror=alert(document.cookie)>
This injects malicious code into the page:
<a href="http://"><img src=x onerror=alert(document.cookie)>/login.html">Login</a>
When a victim visits the page, the injected JavaScript executes in their browser. This enables:
1. Session Hijacking: Stealing session cookies via injected script
2. Web Cache Poisoning: Poisoning CDN/proxy cache to affect all users
3. Phishing: Redirecting all links to attacker-controlled server
4. Page Defacement: Modifying page content with injected JavaScript
The vulnerability requires no authentication and has low attack complexity. Tools like curl, Python requests, or Burp Suite can be used to exploit it.
Root Cause: The application trusts the client-supplied Host header without verifying it matches an expected domain.
Remediation: Validate the Host header against a whitelist:
$allowed_hosts = ['www.example.com', 'example.com'];
$http_host = explode(':', $_SERVER['HTTP_HOST'])[0];
define('HTTP_HOST', in_array($http_host, $allowed_hosts) ? $_SERVER['HTTP_HOST'] : $allowed_hosts[0]); |
|---|
| Fonte | ⚠️ https://gist.github.com/188452/72d03d030ee3cbfee2642badfa9dce33 |
|---|
| Utente | weng (UID 98833) |
|---|
| Sottomissione | 08/06/2026 20:29 (1 mese fa) |
|---|
| Moderazione | 09/07/2026 08:40 (1 month later) |
|---|
| Stato | Accettato |
|---|
| Voce VulDB | 377124 [YzmCMS fino a 7.5 Header /yzmphp/yzmphp.php get_url HTTP_HOST cross site scripting] |
|---|
| Punti | 20 |
|---|