Security Vulnerabilities
Security Vulnerabilities
To continue upon what igorkov found and mentioned in this post, http://wondercms.com/forum/viewtopic.php?f=20&t=620, I've found another security vulnerability in WonderCMS.
The 404 page/page created page is vulnerable to XSS injection. Proof of Concept: http://wondercms.com/%3Cscript%3Ealert% ... /script%3E
Also, the vulnerability mentioned in the second post of igorkov (with editInplace.php) can also be used to traverse the file system of the web server, possibly exposing private data.
The 404 page/page created page is vulnerable to XSS injection. Proof of Concept: http://wondercms.com/%3Cscript%3Ealert% ... /script%3E
Also, the vulnerability mentioned in the second post of igorkov (with editInplace.php) can also be used to traverse the file system of the web server, possibly exposing private data.
- turboblack
- Posts: 201
- Joined: Fri Sep 19, 2014 1:53 pm
Re: Security Vulnerabilities
and... how to fix that????
http://old.net.eu.org/ Get ready to hamsterization! code takes less than a kilobyte! shock!
https://github.com/turboblack/HamsterCMS new version for PHP 8 with new templates
https://github.com/turboblack/HamsterCMS new version for PHP 8 with new templates
Re: Security Vulnerabilities
The inputs will need to be properly sanitized to remove possibly malicious data being given to the application.
Lines 12 and 13 of index.php need to be filtered and limited to just text to stop the XSS attack. (More information on XSS attacks is available here: https://www.owasp.org/index.php/Cross-s ... _%28XSS%29.)
The files/password file should be moved to a seperate folder. It shouldn't be with the other user data. Moving it and filtering inputs should help.
Line 17 in js/editInplace.php also needs to be restricted to the neccessary files and nothing else.
I could try to patch things up, but I don't know where the repo is. Also, do the devs know about this? Shouldn't WonderCMS users be notified too?
Thanks,
j2h2
Lines 12 and 13 of index.php need to be filtered and limited to just text to stop the XSS attack. (More information on XSS attacks is available here: https://www.owasp.org/index.php/Cross-s ... _%28XSS%29.)
The files/password file should be moved to a seperate folder. It shouldn't be with the other user data. Moving it and filtering inputs should help.
Line 17 in js/editInplace.php also needs to be restricted to the neccessary files and nothing else.
I could try to patch things up, but I don't know where the repo is. Also, do the devs know about this? Shouldn't WonderCMS users be notified too?
Thanks,
j2h2
Re: Security Vulnerabilities
Hice...
Hard fix this problems, after getting page name:
Add cuts all symbols, except A-Z, a-z and '-':
Example:
http://igorkov.org/%3Cscript%3Ealert%28 ... /script%3E
Hard fix this problems, after getting page name:
Code: Select all
$rp = isset($_REQUEST['page']) ? $_REQUEST['page'] : '';
Code: Select all
$rp = preg_replace('/[^a-zA-Z0-9-]/', '', $rp);
http://igorkov.org/%3Cscript%3Ealert%28 ... /script%3E
Re: Security Vulnerabilities
Hi Guys,
It seems the code of this nice little gem called Wondercms has some issues. It also seems you are able to fix some of these issues. Would any of you care to put this code on github so it can be patched? I'm not fluent enough in PHP to do this myself but I could help with the Javascript/HTML part if there are any issues.
The license is the most free creative commons one so you can adapt it as needed as long as you give credit.
Would be nice to keep this project alive.
It seems the code of this nice little gem called Wondercms has some issues. It also seems you are able to fix some of these issues. Would any of you care to put this code on github so it can be patched? I'm not fluent enough in PHP to do this myself but I could help with the Javascript/HTML part if there are any issues.
The license is the most free creative commons one so you can adapt it as needed as long as you give credit.
Would be nice to keep this project alive.
Re: Security Vulnerabilities
Okayyy, I'm a bit confused, seems like the Wondercms on github doesn't contain all files as the download from the site. Maybe the github version is 0.4?
Here is another repo with ckeditor added. I added ckeditor to Wondercms manually some time ago and it kicks ass for smaller projects.
https://github.com/nishantmendiratta/wo ... h_ckeditor
Here is another repo with ckeditor added. I added ckeditor to Wondercms manually some time ago and it kicks ass for smaller projects.
https://github.com/nishantmendiratta/wo ... h_ckeditor
- turboblack
- Posts: 201
- Joined: Fri Sep 19, 2014 1:53 pm
Re: Security Vulnerabilities
I do not understand too, why such a thick editor for such a small script
There are full of small solutions for this.
There are full of small solutions for this.
http://old.net.eu.org/ Get ready to hamsterization! code takes less than a kilobyte! shock!
https://github.com/turboblack/HamsterCMS new version for PHP 8 with new templates
https://github.com/turboblack/HamsterCMS new version for PHP 8 with new templates
Re: Security Vulnerabilities
Hello everyone.
Yes that is the correct GitHub URL for WonderCMS development.
The GitHub version of WonderCMS has less files because of a new functionality that auto generates the necessary folders.
I suggest you try and download it, as there are some code upgrades that are not yet available to the general public (everyone who downloads the beta from the front page - wondercms.com).
That aside, today we also moved WonderCMS to a new server (as you might have notice some interruptions in uptime and functionality) that is now powered by nginx (instead of apache). Soon we'll also be able to offer a WonderCMS version for everybody who owns a server running on nginx.
It's pretty late now, but tomorrow I'll patch up the security fixes you guys posted here to GitHub (if someone else doesn't do it before me) and after some testing publish it as a new version.
Please report any bugs that you might notice around this site to GitHub.
Regards
rob
Yes that is the correct GitHub URL for WonderCMS development.
The GitHub version of WonderCMS has less files because of a new functionality that auto generates the necessary folders.
I suggest you try and download it, as there are some code upgrades that are not yet available to the general public (everyone who downloads the beta from the front page - wondercms.com).
That aside, today we also moved WonderCMS to a new server (as you might have notice some interruptions in uptime and functionality) that is now powered by nginx (instead of apache). Soon we'll also be able to offer a WonderCMS version for everybody who owns a server running on nginx.
It's pretty late now, but tomorrow I'll patch up the security fixes you guys posted here to GitHub (if someone else doesn't do it before me) and after some testing publish it as a new version.
Please report any bugs that you might notice around this site to GitHub.
Regards
rob
Re: Security Vulnerabilities
It seems the code of this nice little gem called Wondercms has some issues. It also seems you are able to fix some of these issues. Would any of you care to put this code on github so it can be patched? I'm not fluent enough in PHP to do this myself but I could help with the Javascript/HTML part if there are any issues.