wcms icon indicating copy to clipboard operation
wcms copied to clipboard
verified publisher icon vedees

**Bug Report: Multiple Vulnerabilities in `/wcms/wex/cssjs.php`**

Open samhsu-dev opened this issue 1 year ago • 0 comments

Version Information

Issue Description

Two vulnerabilities were identified in /wcms/wex/cssjs.php:

  1. Improper Handling of the path Parameter:

    • Sink: Line #62
    • The value of $_GET['path'] is directly passed to json_encode() and echoed without sanitization.
    • This allows attackers to inject malicious content via the path parameter.

  2. Improper Handling of the type Parameter:

    • Sink: Line #64
    • The value of $_GET['type'] is directly echoed into the HTML output without sanitization.
    • This can lead to a reflected XSS attack if an attacker injects malicious JavaScript into the type parameter.

Steps to Reproduce

  1. Reproducing the path Vulnerability (Line #62):

    • Send a GET request to the vulnerable endpoint with the following payload: 
      path="/valid/path";}\u003cscript\u003ealert(1)\u003c/script\u003e
    • Example using curl: 
      curl "http://localhost/wcms/wex/cssjs.php?path=/valid/path;}\u003cscript\u003ealert(1)\u003c/script\u003e"
    • Expected Result: Malicious script will be executed in the user's browser.

  2. Reproducing the type Vulnerability (Line #64):

    • Send a GET request to the vulnerable endpoint with the following payload: 
      type=\"\u003cscript\u003ealert(2)\u003c/script\u003e
    • Example using curl: 
      curl "http://localhost/wcms/wex/cssjs.php?type=\"\u003cscript\u003ealert(2)\u003c/script\u003e"
    • Expected Result: Malicious script will be executed in the user's browser.

Expected Behavior

  1. The path parameter should be validated and sanitized before being processed or output.
  2. The type parameter should be encoded before being included in the HTML response.

Actual Behavior

  • Unsanitized input from the path and type parameters is processed and directly reflected in the response.
  • This can lead to the execution of arbitrary JavaScript in the user's browser.

Proposed Fix

  1. Sanitize the path Parameter (Line #62):

    • Validate and sanitize the input to ensure it contains only allowed characters: 
      $path = filter_var($_GET['path'], FILTER_SANITIZE_STRING);
$path = htmlspecialchars($path, ENT_QUOTES, 'UTF-8');

  2. Sanitize the type Parameter (Line #64):

    • Use htmlspecialchars() to encode the output: 
      $type = htmlspecialchars($_GET['type'], ENT_QUOTES, 'UTF-8');

  3. General Security Improvements:

    • Implement a Content Security Policy (CSP) header to mitigate XSS attacks: 
      Content-Security-Policy: script-src 'self';
    • Validate all user inputs before processing or including them in the response.

Impact

  • These vulnerabilities have a critical impact as they allow attackers to execute arbitrary JavaScript in the user's browser.
  • This can lead to session hijacking, phishing, or theft of sensitive information.

Screenshots

  • Code Example Highlighting Vulnerability: Code Vulnerability

  • Attack Scenario Example: Attack Example

samhsu-dev avatar Dec 11 '24 00:12 samhsu-dev