CVE CyberSecurity Database News

CVE-2022-45280 - Exploiting XSS in EyouCMS v1.6. /login.php via the 'Url' Parameter

Poster -

EyouCMS has become a popular content management system in recent years. Unfortunately, with popularity often comes increased scrutiny—and vulnerabilities. One such vulnerability, CVE-2022-45280, was discovered in EyouCMS version 1.6.. This bug is a Cross-Site Scripting (XSS) issue in the Url parameter on the /login.php page. Attackers can use this flaw to execute any script in the context of a victim's browser, potentially stealing session cookies, redirecting users, or escalating their attack.

In this article, we’ll break down exactly what CVE-2022-45280 is, show step-by-step how it can be exploited, and provide links to original references. If you run EyouCMS, don’t skip this post.

What is Cross-Site Scripting (XSS)?

Cross-Site Scripting (XSS) lets attackers run their own JavaScript code in someone else’s browser. This can happen if user input is not properly filtered or "sanitized" before being displayed back to users. With Reflected XSS—like this vulnerability—the malicious script is added to a link and executed as soon as a victim clicks it.

Where is the Vulnerability?

CVE-2022-45280 exists in the Url parameter in /login.php in EyouCMS v1.6.. When a user navigates to a URL like this:

/login.php?Url=somevalue

the value of Url is inserted into the HTML of the login page. If an attacker provides a specially crafted value, they can inject scripts into the page.

Here’s a simple example vulnerable code snippet

<?php
// login.php (snippet)
$url = $_GET['Url'];
?>
<html>
<body>
<!-- Some login form -->
<form action="do_login.php" method="POST">
    <!-- ... -->
    <input type="hidden" name="redirect" value="<?php echo $url; ?>" />
</form>
</body>
</html>

If $url is not sanitized, an attacker can inject HTML or JS.

How Does the Exploit Work?

The vulnerability is simple to exploit. An attacker only needs to create a URL where the Url parameter contains their XSS payload.

Exploit Example

http://victim-site.com/login.php?Url=%22%3E%3Cscript%3Ealert('XSS')%3C%2Fscript%3E

This payload decodes to

"><script>alert('XSS')</script>

So the hidden input on the login page becomes

<input type="hidden" name="redirect" value=""><script>alert('XSS')</script>

When a user visits this link, their browser executes the alert.

`

http://victim-site.com/login.php?Url=%22%3E%3Cscript%3Ealert('XSS')%3C%2Fscript%3E

How to Fix

The best solution is to encode or sanitize all output. In PHP, use htmlspecialchars() to render user input safe for HTML contexts.

Fixed Code Example

<input type="hidden" name="redirect" value="<?php echo htmlspecialchars($url, ENT_QUOTES, 'UTF-8'); ?>" />

References

- CVE Details: CVE-2022-45280
- NVD CVE-2022-45280 Details
- EyouCMS GitHub
- OWASP Cross Site Scripting (XSS)

Summary

CVE-2022-45280 is a straightforward but dangerous XSS flaw in EyouCMS v1.6.. Exploiting it only takes a crafted link. Management systems like EyouCMS must always sanitize inputs, especially those reflected into pages. If you run EyouCMS, update immediately and check your code for similar flaws.

*Stay safe and always validate and encode user input!*

Timeline

Published on: 11/23/2022 21:15:00 UTC
Last modified on: 11/28/2022 19:35:00 UTC