Cmseasy latest version (20140718) stored XSS blind playing background
Stored XSS supports blind access to the backend ~
/Lib/table/stats. php 13 rows getbot function:
public static function getbot() { $ServerName = $_SERVER["SERVER_NAME"]; $ServerPort = $_SERVER["SERVER_PORT"]; $ScriptName = $_SERVER["SCRIPT_NAME"]; $QueryString = $_SERVER["QUERY_STRING"]; $serverip = $_SERVER["REMOTE_ADDR"]; $GetLocationURL=self::geturl(); $agent1 = $_SERVER["HTTP_USER_AGENT"]; $agent=strtolower($agent1); $Bot=""; if(strpos($agent,"googlebot")>-1) { $Bot = "Google"; } if(strpos($agent,"mediapartners-google")>-1) { $Bot = "Google Adsense"; } if(strpos($agent,"baiduspider")>-1) { $Bot = "Baidu"; } if(strpos($agent,"sogou")>-1) { $Bot = "Sogou"; } if(strpos($agent,"yahoo")>-1) { $Bot = "Yahoo!"; } if(strpos($agent,"msn")>-1) { $Bot = "MSN"; } if(strpos($agent,"soso")>-1) { $Bot = "Soso"; } if(strpos($agent,"iaarchiver")>-1) { $Bot = "Alexa"; } if(strpos($agent,"sohu")>-1) { $Bot = "Sohu"; } if(strpos($agent,"sqworm")>-1) { $Bot = "AOL"; } if(strpos($agent,"yodaobot")>-1) { $Bot = "Yodao"; } if(strpos($agent,"iaskspider")>-1) { $Bot = "Iask"; } if(strlen($Bot)>0 &&!front::get('admin_dir')) { $stats = self::getInstance(); $insert = $stats->rec_insert(array('bot'=>$Bot,'url'=>$GetLocationURL,'ip'=>$serverip,'time'=>date('Y-m-d H:i:s'))); } }
Insert $ GetLocationURL directly into the database. Let's see where $ GetLocationURL comes from. The geturl () function:
public static function geturl() { if(!empty($_SERVER["REQUEST_URI"])) { $scrtName = $_SERVER["REQUEST_URI"]; $nowurl = $scrtName; }else { $scrtName = $_SERVER["PHP_SELF"]; if(empty($_SERVER["QUERY_STRING"])) { $nowurl = $scrtName; }else { $nowurl = $scrtName."?".$_SERVER["QUERY_STRING"]; } } return (isset($_SERVER["HTTPS"])&&$_SERVER["HTTPS"] == "on")?'https://':'http://'.$_SERVER['HTTP_HOST'].$nowurl; }
PHP_SELF and QUERY_STRING obtained directly without filtering.
The previous 360webscan only filters variables such as $ _ GET and $ _ POST, but does not filter $ _ SERVER, which can cause the XSS to blindly hit the background.
Send data packets to index. php:
Be sure to set the User-Agent to Baidu spider or another robot.
Then, when the background administrator browses "marketing"-> "Spider Statistics", the following actions will be taken:
Supports blind playing in the background!
Solution:
Filter