Oecms storage type xss

Oecms storage type xss

The file access is not verified, and one of the parameters is escaped at the end. After reading a lot of websites using oecms, the xss is also convenient to use and directly post data, the front-end is directly triggered, and no csrf processing is performed on the backend, which increases the xss power.

There are two causes for xss:

(1) problems with file access verification under admincp

(2) There is a parameter to start filtering, and then use stripslashes to restore it.

The problem occurs in the action_saveadd () function of the admincp/frendlink. php file.

Args passed in from the _ validAdd () function

Public function action_saveadd () {$ args = $ this-> _ validAdd (); $ model = parent: model ('friendlink', 'am '); $ result = $ model-> doAdd ($ args); unset ($ model); if (true = $ result) {$ this-> log ('friendlink _ add', '', 1); XHandle: halt (" added successfully ", $ this-> cpfile. '? C = friendlink', 0);} else {$ this-> log ('friendlink _ add', '', 0); XHandle: halt ('add failed ', '', 1 );}}

The track_validadd () function filters the input parameters 'name', 'Orders ', 'flag', 'remark', and 'catid' in the getGpc function, the url is passed into the getArgs () function.

If isfliter is false, getArgs executes XFilter: stripArray (). This function restores all escape characters, resulting in an xss vulnerability.
 

public static function getArgs($value, $default=NULL, $isfliter = true) {                if (!empty($value)) {                        if (isset($_GET[$value])) $temp = trim($_GET[$value]);                        if (isset($_POST[$value])) $temp = trim($_POST[$value]);                        if ($isfliter == true) {                                $temp = XFilter::filterStr($temp);                        }                        else {                                $temp = XFilter::stripArray($temp);                        }                        if (empty($temp) && !empty($default)) {                                $temp = $default;                        }                        return trim($temp);                }                else {                        return '';                }        }

public static function stripArray(&$_data){                if (is_array($_data)){                        foreach ($_data as $_key => $_value){                                $_data[$_key] = trim(self::stripArray($_value));                        }                        return $_data;                }else{                        return stripslashes(trim($_data));                }        }

Add the frendlink directly to the post data file, and store the xss in the foreground.
 

 

Solution:

Access restrictions are imposed on the backend files and url parameters are filtered. Add the $ this-> checkAuth (') function before the function.