Skip to content

A stored cross-site scripting (XSS) vulnerability exists in LightCMS "contents" field #30

Closed
@SKdft

Description

A stored cross-site scripting (XSS) vulnerability exists in LightCMS that allows an user authorized to upload a malicious .pdf file which acts as a stored XSS payload. If this stored XSS payload is triggered by an administrator it will trigger a XSS attack.

  1. login as admin in the article page
    图片
  2. create a new article
    图片
  3. upload the malicious pdf. the content of xss.pdf :
%PDF-1.4
%1111
1 0 obj
<<
/CreationDate (D:20210619104632+08'00')
/Creator (xss)
/Producer (PDF-XChange Core API SDK \(7.0.324.2\))
>>
endobj
2 0 obj
<<
/Metadata 3 0 R
/Pages 4 0 R
/Type /Catalog
>>
endobj
3 0 obj
<<
/Length 2983
/Subtype /XML
/Type /Metadata
>>
stream
<?xpacket begin="" id="W5M0MpCehiHzreSzNTczkc9d"?>
<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="XMP Core 5.5.0">
	<rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
		<rdf:Description rdf:about=""
				xmlns:dc="http://purl.org/dc/elements/1.1/"
				xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/"
				xmlns:xmp="http://ns.adobe.com/xap/1.0/"
				xmlns:pdf="http://ns.adobe.com/pdf/1.3/">
			<dc:format>application/pdf</dc:format>
			<xmpMM:DocumentID>uuid:9c93bc08-8e4e-46cb-b28f-824c693821a4</xmpMM:DocumentID>
			<xmpMM:InstanceID>uuid:2cd63bea-24ca-4ef8-a12c-015da3b28c96</xmpMM:InstanceID>
			<xmp:CreateDate>2021-06-19T10:46:32+08:00</xmp:CreateDate>
			<xmp:CreatorTool>迅捷PDF编辑器 7.0.324.2</xmp:CreatorTool>
			<xmp:ModifyDate>2021-06-19T10:52:02+08:00</xmp:ModifyDate>
			<pdf:Producer>PDF-XChange Core API SDK (7.0.324.2)</pdf:Producer>
		</rdf:Description>
	</rdf:RDF>
</x:xmpmeta>
  1. back to content then wo edit this upload:
    图片
  2. when user click the link it will trigger a XSS attack
    图片

图片

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions