KutaySec

KutaySec

FlatCore-CMS 2.0.9 has a cross-site scripting (XSS) vulnerability in pages.edit.php through meta tags and content sections.

Meta Tags Handling (XSS via $_POST['page_meta_robots']):

$page_meta_robots = implode(',', $_POST['page_meta_robots']);

Input Source: This code takes input from $_POST['page_meta_robots'], which is data sent from a form or request. Since $_POST comes directly from the user, an attacker can manipulate it.

Vulnerability: The implode() function concatenates the values of $_POST['page_meta_robots'] into a comma-separated string without performing any sanitization or escaping. If an attacker injects malicious script tags (e.g., "<script>alert('XSS')</script>") into this input field, the concatenated string may later be used directly in the HTML or meta tag, leading to script execution in the user's browser.

 

Example Attack:

If an attacker submits $_POST['page_meta_robots'] with the following data:

 

$_POST['page_meta_robots'] = ["<script>alert('XSS')</script>"];

 

 

The result of implode() would be:

$page_meta_robots = "<script>alert('XSS')</script>";

 

 

If this string is rendered into the page's meta tag without sanitization, the browser will execute the JavaScript, leading to an XSS attack.

 

$page_addon_string = '';
if (is_array($_POST['addon'])) {

 

Input Source: The $_POST['addon'] variable is directly taken from user input.

Vulnerability: There is no sanitization or escaping being applied to $_POST['addon'] here, and depending on how the $_POST['addon'] array is used later in the code (which is not shown in the snippet), it could lead to XSS if this data is directly included in the page's output without sanitization.

 

Why XSS Exists in This Code:

Lack of Input Validation and Sanitization: The code takes user input from $_POST, but there is no attempt to validate or sanitize the input before processing it. Attackers can manipulate form data to inject malicious scripts.

Potential Rendering of Unescaped Data: If $page_meta_robots or $page_addon_string are later used in an HTML context (e.g., in a meta tag, HTML content, or JavaScript), and the input is not sanitized, it opens up the possibility for XSS attacks. When the injected data is executed in the victim's browser, it could result in session hijacking, credential theft, or other malicious actions.

 

 

 

 

 

https://nvd.nist.gov/vuln/detail/CVE-2021-42245

https://github.com/flatCore/flatCore-CMS/issues/69