FlatCore-CMS 2.0.9 has a cross-site scripting (XSS) vulnerability in pages.edit.php through meta tags and content sections.

Meta Tags Handling (XSS via $_POST['page_meta_robots'])

$page_meta_robots = implode(',', $_POST['page_meta_robots']);

Input Source:
This code takes input from $_POST['page_meta_robots'], which is data sent from a form or request. Since $_POST comes directly from the user, an attacker can manipulate it.

Vulnerability:
The implode() function concatenates the values of $_POST['page_meta_robots'] into a comma-separated string without any sanitization or escaping. If an attacker injects malicious script tags (for example, <script>alert('XSS')</script>) into this input field, the concatenated string may later be used directly in HTML or a meta tag, leading to script execution in the user's browser.

Example Attack

If an attacker submits $_POST['page_meta_robots'] with the following data:

$_POST['page_meta_robots'] = ["<script>alert('XSS')</script>"];

The result of implode() would be:

$page_meta_robots = "<script>alert('XSS')</script>";

If this string is rendered into the page's meta tag without sanitization, the browser may execute the JavaScript, resulting in an XSS attack.

$page_addon_string = '';
if (is_array($_POST['addon'])) {

Input Source:
The $_POST['addon'] variable is directly taken from user input.

Vulnerability:
No sanitization or escaping is applied to $_POST['addon'] here. Depending on how the $_POST['addon'] array is used later in the code (not shown in this snippet), it could lead to XSS if this data is included in page output without sanitization.

Why XSS Exists in This Code

  • Lack of Input Validation and Sanitization:
    The code takes user input from $_POST, but there is no validation or sanitization before processing. Attackers can manipulate form data to inject malicious scripts.

  • Potential Rendering of Unescaped Data:
    If $page_meta_robots or $page_addon_string are later used in an HTML context (e.g., meta tag, HTML content, or JavaScript) without escaping, it opens the possibility of XSS. When injected data runs in a victim’s browser, it can lead to session hijacking, credential theft, or other malicious actions.

References