CVE-2023-36093 - Stored XSS Vulnerability in EyouCMS v1.6.3’s Filing Number – An In-Depth Analysis

Published: 2024-06-16
Author: [Your Name]


EyouCMS is a popular content management system used widely for building websites in China and around the world. Recently, security researchers discovered a serious vulnerability in EyouCMS version 1.6.3 that allows attackers to inject malicious scripts through a storage type Cross Site Scripting (XSS) attack. This vulnerability, identified as CVE-2023-36093, affects the "filing number" field found on the "Basic Information" tab within the backend management page.

Let’s break down what this vulnerability means, how an attacker could exploit it, and what you can do to stay secure.

What’s the Issue?

Cross Site Scripting (XSS) is a common web security bug where an attacker manages to inject malicious JavaScript into pages viewed by other users. There are two main types: reflected and stored. A stored XSS (also called persistent XSS) is worse, because it stays in the database and affects anyone who views the compromised content.

In EyouCMS v1.6.3, the “Filing Number” field under the backend Basic Information tab doesn’t properly sanitize input. That means if someone enters a dangerous script there, it gets stored in the database and executed in the browsers of users who later load that administration page.

Vulnerable Component: Filing Number field (备案号) in admin backend

- Path: /index.php?m=admin&c=System&a=web

Step-by-Step Exploit Example

Let’s see how an attacker might exploit this bug.

1. Log into EyouCMS Backend

The attacker logs into the admin backend (with an account or after stealing credentials).

2. Navigate to Basic Information

Go to: 后台 → 系统设置 → 网站信息
(English: Backend → System Settings → Website Information)

In the “Filing Number” (备案号) input, instead of a normal string, the attacker enters

"><script>alert('XSS by Attacker!')</script>

*Example Form Screenshot*

!EyouCMS backend basic info filing number field screenshot (fake example)

4. Save the Page

The script is saved straight to the database because there’s no sanitization.

5. Trigger the Payload

Whenever any admin revisits the “Basic Information” page, the malicious script runs immediately, popping an alert. An attacker could easily swap out the alert for a more dangerous payload, such as stealing cookies or admin session data.

Proof-of-Concept (PoC) Code

Below is a simple demonstration using curl to automate the process.

curl -X POST \
  -d "web_recordcode=\"><script>alert('XSS by Attacker!')</script>&other_fields=..." \
  -b "PHPSESSID=your_admin_session" \
  http://your-eyoucms-site.com/index.php?m=admin&c=System&a=web

What Happens Next:
Every time a user with access to backend visits this tab, the payload gets executed in their browser.

Why It’s Dangerous

- High Privilege Attack: Only admins can access this tab, but if attacker attains backend access (default, weak, or leaked password!), they can attack other admins.
- Session Hijacking: With advanced scripts, loaded XSS can steal session cookies, letting attackers take over other privileged accounts.
- Site Defacement or Backdoors: Malicious scripts can change site settings or plant persistent backdoors via further automated requests in the XSS payload.

Upgrade EyouCMS to the latest version if available.

- If you must use v1.6.3, insert server-side input filtering/sanitization in all critical fields.

Quick and dirty patch:
If you’re a dev, make sure to filter special characters (like <, >, ", ', /) from input using PHP’s htmlspecialchars or similar before saving to database and before rendering on the page.

Example in PHP

<?php
$filing_number = htmlspecialchars($_POST["web_recordcode"], ENT_QUOTES, 'UTF-8');
// Save $filing_number to database
?>

References

- CVE-2023-36093 at NVD
- EyouCMS official site
- Exploit Database 51674 – EyouCMS 1.6.3 Stored XSS
- XSS Vulnerability Explained (OWASP)

Conclusion

CVE-2023-36093 is a reminder that even tiny overlooked fields in admin panels can be doors for attackers. Stored XSS vulnerabilities like this, especially in an admin context, are devastating. Always sanitize user inputs, keep your CMS up to date, and regularly audit your sites for weak spots.

If you run EyouCMS 1.6.3 – patch now!

Stay safe out there.
*For feedback or corrections, contact [Your Email].*

Timeline

Published on: 06/22/2023 15:15:00 UTC
Last modified on: 06/28/2023 07:22:00 UTC