-
-
Notifications
You must be signed in to change notification settings - Fork 166
[Self attack vulnerabilities] possibilities list
Robert Isoski edited this page Mar 5, 2022
·
2 revisions
The bugs below work only if an admin is logged and is tricked into pasting JavaScript code, uploading SVG's or installs themes/plugins from malicious actors.
WonderCMS comes with some security features and some responsibilities.
1. A logged-in user (admin) can execute JavaScript anywhere on their website.
- This has always been a WonderCMS feature.
- I personally don't consider this needs fixing, since a logged-in admin can do much more damage than just XSS attacks (including website defacement, malware distribution, cryptominers, ...)
2. A logged in user can upload a SVG (containing code other than an image, such as JavaScript).
- SVG's are generally not just images, they can also include code such as JavaScript, XML, these are awesome features of SVG's.
- Sanitizing SVG's would partially kill their functionality.
- If there are enough wishes for this action, the SVG uploading functionality can be completely removed from WonderCMS.
- If we already allow JavaScript to be executed at any part of the CMS, would removing the SVG functionality make any difference?
3. Installing themes/plugins from malicious actors
- Installing a theme/plugin from unverified sources can lead into your website being hijacked.
- Please be careful and either verify or don't install themes/plugins from sources you don't trust.
4. Host header attack.
- This will not be considered a vulnerability until we see a live exploit of this (not local).
- Using the Burp Suite Tool to create/show a local attack is not enough, since there needs to be a way to exploit a WonderCMS installation (and not just locally attack one-self).
- Avoid pasting random JavaScript code.
- Avoid uploading random SVG's.
- Install themes and plugins only from sources you trust.
The list above is subject to change. All discussions are welcome. Reporting the above issues/bugs/vulnerabilities will not include you in the WonderCMS reward system.
Still need help?
- Ask a question or make a request in the community.
- Official website
Intro
- Home
- Demo
- Download
- One step install
- Requirements
- 5 file structure
- List of hooks
- Included libraries
- Create theme in 8 easy steps
- Create a plugin
- Custom modules
- Translations
- All security features described
Basic how to's
- Backup all files
- Change default login URL
- Change default password
- Create custom page template
- Create new editable areas or editable blocks
- Edit 404 page
- Get data from database
- Set data to database
- Hide page from menu
- Caddy web server config
- IIS server config
- NGINX server config
- Login
- Recover login URL
- Reset password
- Restore backup
- Update
- PHP built in server
Themes
- Create theme in 8 easy steps
- Add favicon
- Theme tags
- Update theme to work with WonderCMS 2.0.0
- Update theme to work with WonderCMS 3.0.0
- Share your themes with Custom modules
Plugins
- Quick intro on creating plugins and List of hooks
- Share your plugin with simply with Custom modules
Security
- All security features described
- Add SRI tags to your theme libraries
- Always redirect to https and www
- Additional security configuration(s)
- Add SRI tags to your theme libraries
- Better security mode (HTTPS and other features)
Features description
- One click update
- Optional: functions.php file
- Default database.js
- Allowed extensions file types for uploads
- Login URL doesn't work - 404
- 500 internal server error
- Persistent "New WonderCMS update available" message
- URLs mailformed on Windows IIS
- Other errors