ROUYI CMS vulnerabilities

ROUYI CMS vulnerabilities

Storage XSS

  • There are two roles in default cms ,admin and common.
  • Both of them have the permission to modify bulletin
  • What’s more , /system/notice is the only path out of the XSS Filter.
  • so, we can input xss payload and trigger in anyone who has watch the notice include admin .


Insecure Permissions

  • Other than administrator , any account can add the same level roles.
  • But it isn’t configured correctly,we can add any roles with any permissions,even admin.

  • we use a common role and go to the user registration page

  • You can see that you can only register common role.
  • we interecept the request and change the roleid to any role you want.
  • In the database , we create a admin account.