| Title | MonoCMS 23-20240528 Improper Neutralization of Alternate XSS Syntax |
|---|
| Description | [XSS vulnerability] found in MonoCMS 23-20240528 - (/monofiles/opensaved.php)
Affected Project: MonoCMS
Web: Php
Vendor: MonoCMS
Official Website: https://monocms.com/
Version: 23-20240528
Updated: 28 May, 2024
Related Code file: /monofiles/opensaved.php
Injection parameter: filtcategory
Sha1: 9532cda20cf7fa456d6f00ce0fe194767913ba83
Vulnerability Description:
The issue arises because the filtcategory parameter from the URL is being directly inserted into the value attribute of an HTML input element without proper sanitization.
This allows an attacker to inject arbitrary HTML or JavaScript code leading to an XSS attack.
Vulnerable code:
if (isset($_GET['filtcategory']))
echo '<option value="#">'. $_GET['filtcategory'].'</option>'.PHP_EOL.'<option value="opensaved.php'.$clink.'">All</option>';
Injection Payload Tested:
We set filtcategory to:
</option><script>alert('XSS');</script><option>
URL-encoded, this becomes:
%3C%2Foption%3E%3Cscript%3Ealert('XSS');%3C%2Fscript%3E%3Coption%3E
Resulting HTML After Injection:
<option value="#"></option><script>alert('XSS');</script><option></option>
The code checks if the filtcategory parameter is set in the URL query string.
It then outputs an <option> element with the value # and the text content directly from $_GET['filtcategory'] without any sanitization.
This output is directly embedded into the HTML, making it susceptible to Cross-Site Scripting (XSS) attacks if an attacker can inject malicious code through the filtcategory parameter.
Execution:
When the browser parses this HTML, it executes the </option><script>alert('XSS');</script><option> code, resulting in a popup displaying "XSS".
Demonstration:
Below is how /monofiles/opensaved.php looks like:
https://i.postimg.cc/XNBmMxsN/1.png
Then we can add our payload </option><script>alert('XSS');</script><option> :
http://localhost:8080/monofiles/opensaved.php?filtcategory=</option><script>alert('XSS');</script><option>
https://i.postimg.cc/7Yvcq7R3/2.png
After submitting the url with the vulnerable parameter filtcategory and the XSS payload </option><script>alert('XSS');</script><option>, XSS is triggered:
https://i.postimg.cc/KvnWjjXd/3.png
Recommendation for Preventing XSS:
To fix this vulnerability, we must always sanitize user inputs before rendering them in the HTML. We can use functions like htmlspecialchars() in PHP to encode special characters.
Example:
if (isset($_GET['filtcategory']))
echo '<option value="#">' . htmlspecialchars($_GET['filtcategory'], ENT_QUOTES, 'UTF-8') . '</option>' . PHP_EOL . '<option value="opensaved.php' . $clink . '">All</option>';
|
|---|
| Source | ⚠️ https://github.com/secuserx/CVE/blob/main/%5BXSS%20vulnerability%5D%20found%20in%20MonoCMS%2023-20240528%20-%20(opensaved.php).md |
|---|
| User | secuserx (UID 76735) |
|---|
| Submission | 10/30/2024 01:33 (2 years ago) |
|---|
| Moderation | 11/06/2024 17:37 (8 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 283327 [MonoCMS up to 20240528 Posts Page /monofiles/opensaved.php filtcategory/filtstatus cross site scripting] |
|---|
| Points | 20 |
|---|