You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in Xinhu RockOA v2.6.3, existing in the Callback parameter of /webmain/public/upload/tpl_upload.html.
Details
In /webmain/public/upload/tpl_upload.html, since the callback variable is directly concatenated into the script tag without filtering, an attacker can execute malicious JS through the callback parameter.
As shown in the figure, the attacker successfully closed the previously mentioned okla:function() and var up={} as well as the subsequently mentioned closeaa:function() through a carefully crafted input, allowing it to run normally within the script tag.
Summary
A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in Xinhu RockOA v2.6.3, existing in the
Callback
parameter of/webmain/public/upload/tpl_upload.html
.Details
In
![image](https://private-user-images.githubusercontent.com/66168888/347700535-790dc610-a111-4af2-80b5-187cd2170c54.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjE2NjMxNTksIm5iZiI6MTcyMTY2Mjg1OSwicGF0aCI6Ii82NjE2ODg4OC8zNDc3MDA1MzUtNzkwZGM2MTAtYTExMS00YWYyLTgwYjUtMTg3Y2QyMTcwYzU0LnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MjIlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzIyVDE1NDA1OVomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWYyMjg5Yjc2NTVhN2RkYmVmODJkNzVmMWM4ZmJhYmJiYzU0NjllNjRhNTRjYjNiZmZmY2IxNDBlZTNkYTIxNGImWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.yXV0cuPMwdScXhOmoiJH22k4OmCNFcAer-KncXE83qE)
![image](https://private-user-images.githubusercontent.com/66168888/347701788-4e25202c-26b0-4242-8b22-90e6e9a2ce92.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjE2NjMxNTksIm5iZiI6MTcyMTY2Mjg1OSwicGF0aCI6Ii82NjE2ODg4OC8zNDc3MDE3ODgtNGUyNTIwMmMtMjZiMC00MjQyLThiMjItOTBlNmU5YTJjZTkyLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MjIlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzIyVDE1NDA1OVomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTU2ODhiMDE2ODgxOThjYTcwOWVmNTM0NWFmYmM4Y2IyNjgwMGEyZDg0YjQ5YWI2MjI3MDdhNWYzMGY2YTExNTYmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.h_yNb3eZXpTVGzF085jfkL6XRiluzkBRX0ArYChVzxA)
/webmain/public/upload/tpl_upload.html
, since the callback variable is directly concatenated into the script tag without filtering, an attacker can execute malicious JS through the callback parameter.As shown in the figure, the attacker successfully closed the previously mentioned
okla:function()
andvar up={}
as well as the subsequently mentionedcloseaa:function()
through a carefully crafted input, allowing it to run normally within the script tag.Proof of Concept (PoC)
http://your-ip/index.php?m=upload&d=public&callback=callback%20=callback;%20if%20(showid%20!=%20264569789)%20{%20alert(250);%20}%20}%20catch%20(e)%20{}%20;this.closeaa()},};alert(document.cookie);var%20test={okla:function(){if%20(showid!=10){//
The text was updated successfully, but these errors were encountered: