Submeter #434188: MonoCMS 23-20240528 Improper Neutralization of Alternate XSS Syntaxinformação

TítuloMonoCMS 23-20240528 Improper Neutralization of Alternate XSS Syntax
Descrição [XSS vulnerability] found in MonoCMS 23-20240528 - (/monofiles/account.php) Affected Project: MonoCMS Web: Php Vendor: MonoCMS Official Website: https://monocms.com/ Version: 23-20240528 Updated: 28 May, 2024 Related Code file: /monofiles/account.php Injection parameter: userid Sha1: 9532cda20cf7fa456d6f00ce0fe194767913ba83 Vulnerability Description: The issue arises because the userid parameter from the URL is being directly inserted into the value attribute of an HTML input element without proper sanitization. This allows an attacker to inject arbitrary HTML or JavaScript code leading to an XSS attack. Vulnerable code: <input name="hiddenid" type="text" value="<?php if (isset($_GET['userid'])) print $_GET['userid'] ?>" hidden> Injection Payload Tested: We set userid to: "><script>alert('XSS')</script> URL-encoded, this becomes: %22%3E%3Cscript%3Ealert('XSS')%3C/script%3E Resulting HTML After Injection: <input name="hiddenid" type="text" value=""><script>alert('XSS')</script>" hidden> The injected "></script> closes the value attribute and the input tag, allowing the <script> tag to be inserted into the DOM. Execution: When the browser parses this HTML, it executes the <script>alert('XSS')</script> code, resulting in a popup displaying "XSS by secuserx". Demonstration: Below is how /monofiles/account.php looks like: https://i.postimg.cc/dV25sxCv/1.png Then we can add our payload "><script>alert('XSS by secuserx')</script> : http://localhost:8080/monofiles/account.php?userid="><script>alert('XSS by secuserx')</script> https://i.postimg.cc/CKwmzsC8/2.png After submitting the url with the vulnerable parameter userid and the XSS payload "><script>alert('XSS by secuserx')</script>, XSS is triggered: https://i.postimg.cc/pdkk85k6/3.png Recommendation for Preventing XSS: To fix this vulnerability, we must always sanitize user inputs before rendering them in the HTML. We can use functions like htmlspecialchars() in PHP to encode special characters. Example: <input name="hiddenid" type="text" value="<?php if (isset($_GET['userid'])) print htmlspecialchars($_GET['userid'], ENT_QUOTES, 'UTF-8') ?>" hidden>
Fonte⚠️ https://github.com/secuserx/CVE/blob/main/%5BXSS%20vulnerability%5D%20found%20in%20MonoCMS%2023-20240528%20-%20(account.php).md
Utilizador
 secuserx (UID 76735)
Submissão30/10/2024 01h22 (há 2 anos)
Moderação06/11/2024 17h37 (8 days later)
EstadoAceite
Entrada VulDB283326 [MonoCMS até 20240528 Account Information Page /monofiles/account.php userid Script de Site Cruzado]
Pontos20

VoltarVisão GeralPróximo

Want to stay up to date on a daily basis?

Enable the mail alert feature now!