Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XSS attack appears in /xxl-job-admin/joblog/logDetailPage #3329

Open
N0th1n3 opened this issue Nov 8, 2023 · 1 comment
Open

XSS attack appears in /xxl-job-admin/joblog/logDetailPage #3329

N0th1n3 opened this issue Nov 8, 2023 · 1 comment

Comments

@N0th1n3
Copy link

N0th1n3 commented Nov 8, 2023

Environment

MySQL 5.7.44, XXL-Job-Admin 2.4.0
Virtual Machine 1: Ubuntu 22.04.3 (as XXL-Job-Admin)
Virtual Machine 2: Ubuntu 22.04.3 (as XXL-Job-Executor)

Vulnerability Information

During the query of /xxl-job-admin/joblog/logDetailPage, the xxl-job-admin will query the related log directly in the machine and show it in the console in HTML format even if the log appears in <script> </script> format

Steps to reproduce the behavior

Step 1: Modify the application log in default path of XXL-Job-Executor and add malicious javascript
cd /data/applogs/xxl-job/jobhandler/yyyy-mm-dd/
image
Example malicious code
<script>alert(Test123);</script>
image

Step 2: Login to the XXL-Job-Admin console by admin user and navigate to Log Query Page
Check the log by querying log id
image

Step 3: Alert will show here
image

@75ACOL
Copy link

75ACOL commented Nov 23, 2023

If you can go to this page, then you can do more things.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants