There is an xss vulnerability of HTTP header injection storage in jfinal_cms V5.1.0

There is a storage XSS vulnerability in the guest TOP10 of jfinal_cms. TOP10 will display the ip of the user, but it can be modified by X-Forwarded-For, where the attacker can insert malicious XSS code. When the administrator logs in, the malicious XSS code triggers successfully.

payload:  X-Forwarded-For: 192.168.1.1</li><script>alert ("xss")</script>

In the background login interface, enter the account password randomly, fill in the correct verification code, and then submit and grab the package.
![图片](https://user-images.githubusercontent.com/32386331/163304089-a2d069db-d2a3-49b2-86fd-3e0d1ee24670.png)

The contents of the grab bag are as follows:
![图片](https://user-images.githubusercontent.com/32386331/163304599-1cec36b1-bd1a-4161-b408-23a8bdf14a34.png)

Add an X-Forwarded-For here and enter paylaod (192.168.1.1</li><script>alert ("xss")</script>)
![图片](https://user-images.githubusercontent.com/32386331/163304566-a955b06b-d863-40d2-b3a2-cfc86f3c191a.png)

Then log in with the background administrator account to trigger the storage XSS.
![图片](https://user-images.githubusercontent.com/32386331/163304861-298a5392-d4fe-4a94-b24e-7edffbf9caa0.png)

Safety advice:
Strictly filter the user's input
Strict control of page rendering content

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

There is an xss vulnerability of HTTP header injection storage in jfinal_cms V5.1.0 #34

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development