Submeter #851931: YzmCMS YzmCMS Content Management System V7.5 CWE-79informação

TítuloYzmCMS YzmCMS Content Management System V7.5 CWE-79
Descrição YzmCMS Content Management System version V7.5 (Build 20260321) and prior versions contain a Host Header Injection vulnerability that leads to Cross-Site Scripting (XSS). The vulnerability exists in /yzmphp/yzmphp.php at line 38, where the application directly uses the HTTP Host header value to define the HTTP_HOST constant without any validation or sanitization: define('HTTP_HOST', (isset($_SERVER['HTTP_HOST']) ? $_SERVER['HTTP_HOST'] : '')); This constant is used throughout the application to generate all URL links on every page. The get_url() function in global.func.php uses it to construct URLs: return SERVER_PORT . HTTP_HOST . $relate_url; The SITE_URL constant is also derived from HTTP_HOST and used in all template files for navigation links, login URLs, form actions, and resource references. Since the HTTP Host header is client-controlled, an attacker can inject arbitrary HTML and JavaScript by sending a crafted Host header. For example: Host: "><img src=x onerror=alert(document.cookie)> This injects malicious code into the page: <a href="http://"><img src=x onerror=alert(document.cookie)>/login.html">Login</a> When a victim visits the page, the injected JavaScript executes in their browser. This enables: 1. Session Hijacking: Stealing session cookies via injected script 2. Web Cache Poisoning: Poisoning CDN/proxy cache to affect all users 3. Phishing: Redirecting all links to attacker-controlled server 4. Page Defacement: Modifying page content with injected JavaScript The vulnerability requires no authentication and has low attack complexity. Tools like curl, Python requests, or Burp Suite can be used to exploit it. Root Cause: The application trusts the client-supplied Host header without verifying it matches an expected domain. Remediation: Validate the Host header against a whitelist: $allowed_hosts = ['www.example.com', 'example.com']; $http_host = explode(':', $_SERVER['HTTP_HOST'])[0]; define('HTTP_HOST', in_array($http_host, $allowed_hosts) ? $_SERVER['HTTP_HOST'] : $allowed_hosts[0]);
Fonte⚠️ https://gist.github.com/188452/72d03d030ee3cbfee2642badfa9dce33
Utilizador
 weng (UID 98833)
Submissão08/06/2026 20h29 (há 1 mês)
Moderação09/07/2026 08h40 (1 month later)
EstadoAceite
Entrada VulDB377124 [YzmCMS até 7.5 Header /yzmphp/yzmphp.php get_url HTTP_HOST Script de Site Cruzado]
Pontos20

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!