monstra-cms/monstra

Authenticated Stored Cross Site Scripting Vulnerability

Opened this issue · 0 comments

c0d3G33k commented

Hi, I have found a stored XSS vulnerability.

Affected Version:
3.0.4 or before

Affected URL:
http://<your_site>/monstra/<page_name.php>

Payload

"><img src=x onerror=prompt(1)>

Steps to replicate:

  1. Goto http://127.0.0.1/monstra/admin/index.php?id=pages
  2. Create a new page
  3. Navigate to title section
  4. Enter payload as shown in above section
  5. Visit http://<your_site>/monstra/<page_name.php>.php
  6. You will triage JavaScript execution

Impacts:

A user with editor level privileges can make JavaScript code execution in admin's session.

Testing Environment:

  1. Server: Apache 2.4.2
  2. PHP : 7.1.8

Mitigation:
Pass user input from below mentioned function

function test_input($data) {
  $data = trim($data);
  $data = stripslashes($data);
  $data = htmlspecialchars($data);
  return $data;
}