Cmseasy latest version (20140718) stored XSS blind playing background

Cmseasy latest version (20140718) stored XSS blind playing background

Stored XSS supports blind access to the backend ~

/Lib/table/stats. php 13 rows getbot function:

 

public static function getbot() {        $ServerName = $_SERVER["SERVER_NAME"];        $ServerPort = $_SERVER["SERVER_PORT"];        $ScriptName = $_SERVER["SCRIPT_NAME"];        $QueryString = $_SERVER["QUERY_STRING"];        $serverip = $_SERVER["REMOTE_ADDR"];        $GetLocationURL=self::geturl();        $agent1 = $_SERVER["HTTP_USER_AGENT"];        $agent=strtolower($agent1);        $Bot="";        if(strpos($agent,"googlebot")>-1) {            $Bot = "Google";        }        if(strpos($agent,"mediapartners-google")>-1) {            $Bot = "Google Adsense";        }        if(strpos($agent,"baiduspider")>-1) {            $Bot = "Baidu";        }        if(strpos($agent,"sogou")>-1) {            $Bot = "Sogou";        }        if(strpos($agent,"yahoo")>-1) {            $Bot = "Yahoo!";        }        if(strpos($agent,"msn")>-1) {            $Bot = "MSN";        }        if(strpos($agent,"soso")>-1) {            $Bot = "Soso";        }        if(strpos($agent,"iaarchiver")>-1) {            $Bot = "Alexa";        }        if(strpos($agent,"sohu")>-1) {            $Bot = "Sohu";        }        if(strpos($agent,"sqworm")>-1) {            $Bot = "AOL";        }        if(strpos($agent,"yodaobot")>-1) {            $Bot = "Yodao";        }        if(strpos($agent,"iaskspider")>-1) {            $Bot = "Iask";        }        if(strlen($Bot)>0 &&!front::get('admin_dir')) {            $stats = self::getInstance();            $insert = $stats->rec_insert(array('bot'=>$Bot,'url'=>$GetLocationURL,'ip'=>$serverip,'time'=>date('Y-m-d H:i:s')));        }    }

Insert $ GetLocationURL directly into the database. Let's see where $ GetLocationURL comes from. The geturl () function:
 

public static function geturl() {        if(!empty($_SERVER["REQUEST_URI"])) {            $scrtName = $_SERVER["REQUEST_URI"];            $nowurl = $scrtName;        }else {            $scrtName = $_SERVER["PHP_SELF"];            if(empty($_SERVER["QUERY_STRING"])) {                $nowurl = $scrtName;            }else {                $nowurl = $scrtName."?".$_SERVER["QUERY_STRING"];            }        }        return (isset($_SERVER["HTTPS"])&&$_SERVER["HTTPS"] == "on")?'https://':'http://'.$_SERVER['HTTP_HOST'].$nowurl;    }

PHP_SELF and QUERY_STRING obtained directly without filtering.

The previous 360webscan only filters variables such as $ _ GET and $ _ POST, but does not filter $ _ SERVER, which can cause the XSS to blindly hit the background.

Send data packets to index. php:

 

Be sure to set the User-Agent to Baidu spider or another robot.

Then, when the background administrator browses "marketing"-> "Spider Statistics", the following actions will be taken:
 

Supports blind playing in the background!

Solution:

Filter