Summary

Some of the data stored in automation_tree_rules_form_save() function in automation_tree_rules.php is not thoroughly checked and is used to concatenate the HTML statement in form_confirm() function from lib/html.php , finally resulting in XSS.

Details

In the SQL table automation_tree_rules stored in database, the name field is controllable. The writing of dirty data can be done from automation_tree_rules_form_save() function in automation_tree_rules.php.
Both writing and reading require administrator privileges

The attack starts with the automation_tree_rules_remove() function in automation_tree_rules.php. Reading table automation_tree_rules and calling form_confirm() function.

Finally arriving at lib/html.php. Variable $text is not checked and concatenated directly, resulting in XSS.

PoC

POST access automation_tree_rules.php and submit the following data：

• 'save_component_automation_graph_rule' => 1,
• 'action'=>'save',
• '__csrf_magic'=> '',
• 'id'=>'4',
• 'name'=>'<script>alert(1);</script>',
• 'snmp_query_id'=>0,

check field in tableautomation_tree_rules table.

GET access : "http://ip:port/automation_graph_rules.php?action=remove&id=4".

Researcher: ISHGARD-2, USTC