**Bug Report: Multiple Vulnerabilities in `/wcms/wex/cssjs.php`**

[samhsu-dev]

Version Information

• Branch/Release: Latest commit from the repository ea19dd: https://github.com/vedees/wcms/blob/master/wcms/wex/cssjs.php.

---

Issue Description

Two vulnerabilities were identified in /wcms/wex/cssjs.php:

1. Improper Handling of the path Parameter:

   • Sink: Line #62
   • The value of $_GET['path'] is directly passed to json_encode() and echoed without sanitization.
   • This allows attackers to inject malicious content via the path parameter.

2. Improper Handling of the type Parameter:

   • Sink: Line #64
   • The value of $_GET['type'] is directly echoed into the HTML output without sanitization.
   • This can lead to a reflected XSS attack if an attacker injects malicious JavaScript into the type parameter.

---

Steps to Reproduce

1. Reproducing the path Vulnerability (Line #62):

   • Send a GET request to the vulnerable endpoint with the following payload:

     path="/valid/path";}\u003cscript\u003ealert(1)\u003c/script\u003e
     

   • Example using curl:

     curl "http://localhost/wcms/wex/cssjs.php?path=/valid/path;}\u003cscript\u003ealert(1)\u003c/script\u003e"

   • Expected Result: Malicious script will be executed in the user's browser.

2. Reproducing the type Vulnerability (Line #64):

   • Send a GET request to the vulnerable endpoint with the following payload:

     type=\"\u003cscript\u003ealert(2)\u003c/script\u003e
     

   • Example using curl:

     curl "http://localhost/wcms/wex/cssjs.php?type=\"\u003cscript\u003ealert(2)\u003c/script\u003e"

   • Expected Result: Malicious script will be executed in the user's browser.

---

Expected Behavior

1. The path parameter should be validated and sanitized before being processed or output.
2. The type parameter should be encoded before being included in the HTML response.

---

Actual Behavior

• Unsanitized input from the path and type parameters is processed and directly reflected in the response.
• This can lead to the execution of arbitrary JavaScript in the user's browser.

---

Proposed Fix

1. Sanitize the path Parameter (Line #62):

   • Validate and sanitize the input to ensure it contains only allowed characters:

     $path = filter_var($_GET['path'], FILTER_SANITIZE_STRING);
     $path = htmlspecialchars($path, ENT_QUOTES, 'UTF-8');

2. Sanitize the type Parameter (Line #64):

   • Use htmlspecialchars() to encode the output:

     $type = htmlspecialchars($_GET['type'], ENT_QUOTES, 'UTF-8');

3. General Security Improvements:

   • Implement a Content Security Policy (CSP) header to mitigate XSS attacks:

     Content-Security-Policy: script-src 'self';

   • Validate all user inputs before processing or including them in the response.

---

Impact

• These vulnerabilities have a critical impact as they allow attackers to execute arbitrary JavaScript in the user's browser.
• This can lead to session hijacking, phishing, or theft of sensitive information.

---

Screenshots

• Code Example Highlighting Vulnerability:
  

• Attack Scenario Example:
  

---