제출 #851931: YzmCMS YzmCMS Content Management System V7.5 CWE-79정보

제목YzmCMS YzmCMS Content Management System V7.5 CWE-79
설명 YzmCMS Content Management System version V7.5 (Build 20260321) and prior versions contain a Host Header Injection vulnerability that leads to Cross-Site Scripting (XSS). The vulnerability exists in /yzmphp/yzmphp.php at line 38, where the application directly uses the HTTP Host header value to define the HTTP_HOST constant without any validation or sanitization: define('HTTP_HOST', (isset($_SERVER['HTTP_HOST']) ? $_SERVER['HTTP_HOST'] : '')); This constant is used throughout the application to generate all URL links on every page. The get_url() function in global.func.php uses it to construct URLs: return SERVER_PORT . HTTP_HOST . $relate_url; The SITE_URL constant is also derived from HTTP_HOST and used in all template files for navigation links, login URLs, form actions, and resource references. Since the HTTP Host header is client-controlled, an attacker can inject arbitrary HTML and JavaScript by sending a crafted Host header. For example: Host: "><img src=x onerror=alert(document.cookie)> This injects malicious code into the page: <a href="http://"><img src=x onerror=alert(document.cookie)>/login.html">Login</a> When a victim visits the page, the injected JavaScript executes in their browser. This enables: 1. Session Hijacking: Stealing session cookies via injected script 2. Web Cache Poisoning: Poisoning CDN/proxy cache to affect all users 3. Phishing: Redirecting all links to attacker-controlled server 4. Page Defacement: Modifying page content with injected JavaScript The vulnerability requires no authentication and has low attack complexity. Tools like curl, Python requests, or Burp Suite can be used to exploit it. Root Cause: The application trusts the client-supplied Host header without verifying it matches an expected domain. Remediation: Validate the Host header against a whitelist: $allowed_hosts = ['www.example.com', 'example.com']; $http_host = explode(':', $_SERVER['HTTP_HOST'])[0]; define('HTTP_HOST', in_array($http_host, $allowed_hosts) ? $_SERVER['HTTP_HOST'] : $allowed_hosts[0]);
원천⚠️ https://gist.github.com/188452/72d03d030ee3cbfee2642badfa9dce33
사용자
 weng (UID 98833)
제출2026. 06. 08. PM 08:29 (1 월 ago)
모더레이션2026. 07. 09. AM 08:40 (1 month later)
상태수락
VulDB 항목377124 [YzmCMS 까지 7.5 Header /yzmphp/yzmphp.php get_url HTTP_HOST 크로스 사이트 스크립팅]
포인트들20

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!