How the CVE Works:
The vulnerability exists in YesWiki v4.5.3’s file upload form handler. The `showUploadForm()` function directly outputs unsanitized user input from the `file` GET parameter into HTML response without proper encoding. When a malicious script is injected via the `file` parameter, it gets reflected in the page output, leading to client-side JavaScript execution in the victim’s browser context. The attack requires no authentication and can be triggered via a specially crafted URL. The vulnerable code echoes the `$this->file` variable directly into the HTML output, allowing arbitrary JavaScript execution when a victim visits the attacker’s crafted link.
DailyCVE Form:
Platform: YesWiki
Version: 4.5.3
Vulnerability: Reflected XSS
Severity: Critical
date: 2023-XX-XX
What Undercode Say:
// Exploit POC fetch(<code>http://target/?PagePrincipale/upload&file=<script>alert(1)</script></code>)
Scanner detection
import requests
response = requests.get("http://target/page?file=<xss_test>")
if "<xss_test>" in response.text:
print("Vulnerable to XSS")
// Secure patch
$sanitized_file = htmlspecialchars($this->file, ENT_QUOTES, 'UTF-8');
echo '
<h3>' . _t('ATTACH_UPLOAD_FORM_FOR_FILE') . ' ' . $sanitized_file . "</h3>
\n";
Mitigation rule add_header X-XSS-Protection "1; mode=block"; add_header Content-Security-Policy "default-src 'self'";
Curl test curl -v "http://target/?file=<script>alert(1)</script>"
// Protection middleware
app.use((req, res, next) => {
for (let param in req.query) {
req.query[bash] = sanitize(req.query[bash]);
}
next();
});
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
