Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

There is a storage XSS vulnerability in the blog comment interface #1

Open
shuimuLiu opened this issue Aug 12, 2018 · 0 comments
Open

Comments

@shuimuLiu
Copy link

shuimuLiu commented Aug 12, 2018

Explain:
A cross-site scripting (XSS) vulnerability in ShurabhCMS may allow a remote attacker (user) to inject arbitrary Web scripts through the source editor, which will cause the attacker (user) to obtain the cookies of other users and log in to the accounts of other users.

First use the account password to log in to the blog.

image

When I comment on one of the blogs,I insert malicious code into it.

image

The website does not filter characters, and malicious code is directly transmitted to the website management interface.

image

When the administrator clicks the Approve option, the malicious code will be executed.

image

Now if an ordinary user sees this comment, his cookie will be stolen.

image

Impact:
This can be used by any user leaving a message on a Web site to perform an operation and may result in hijacking any user's cookie

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant