Jeesns 1.3 XSS Filter could be bypassed
Analysis
I found there was a xss vulnerablity about Jeesns have been reported from CVE-2018-12429.
Developer has fixed CVE-2018-12429 through blacklisting mechanism in XssHttpServletRequestWrapper.java.
com.lxinet.jeesns.core.utils.XssHttpServletRequestWrapper : line 40
private String cleanXSS(String value) {
//first checkpoint
//(?i)忽略大小写
value = value.replaceAll("(?i)<style>", "<style>").replaceAll("(?i)</style>", "</style>");
value = value.replaceAll("(?i)<script>", "<script>").replaceAll("(?i)</script>", "</script>");
value = value.replaceAll("(?i)<script", "<script");
value = value.replaceAll("(?i)eval\\((.*)\\)", "");
value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");
//second checkpoint
// 需要过滤的脚本事件关键字
String[] eventKeywords = { "onmouseover", "onmouseout", "onmousedown",
"onmouseup", "onmousemove", "onclick", "ondblclick",
"onkeypress", "onkeydown", "onkeyup", "ondragstart",
"onerrorupdate", "onhelp", "onreadystatechange", "onrowenter",
"onrowexit", "onselectstart", "onload", "onunload",
"onbeforeunload", "onblur", "onerror", "onfocus", "onresize",
"onscroll", "oncontextmenu", "alert" };
// 滤除脚本事件代码
for (int i = 0; i < eventKeywords.length; i++) {
// 添加一个"_", 使事件代码无效
value = value.replaceAll(eventKeywords[i],"_" + eventKeywords[i]);
}
return value;
}It just replace a little tags and events. It is easy to bypass.
We can use svg 、 img tag to bypass the first checkpoint and use differend spell to bypass the sencond checkpoint.
such as:
<svg/onLoad=confirm(document.cookie)>
Test
Step 1
We need register a account and sign in.
Step 2
Then we post a new article and use our payload <svg/onLoad=confirm(document.cookie)>.
You can see the evil script will be execute when administrator or other visit the article list.


