Cross-site Scripting (XSS) - Stored in zoujingli/thinkadmin

Valid

Reported on

Sep 17th 2021

Description

Stored XSS Content allows for the arbitrary execution of JavaScript

Proof of Concept

In Wechat management at feature 
- Reply rule management 
- Follow reply configuration 
- Default reply configuration 
- Follow automatic replies 

Save Reply text with payload : </titLe/</teXtarEa/</scRipt/--!>\x3csVg/<iMg SrC="x" oNeRRor="alert(1);">\x3e
XSS will trigger when reloading page or goto edit

Video PoC

Impact

This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.

We have contacted a member of the zoujingli/thinkadmin team and are waiting to hear back 2 years ago

邹景立 validated this vulnerability 2 years ago

lethanhphuc has been awarded the disclosure bounty

The fix bounty is now up for grabs

邹景立

commented 2 years ago

Maintainer

HTML needs to be parsed during mobile phone preview. Only HTML executable script filtering can be done here.

lethanhphuc

commented 2 years ago

Researcher

I noticed this problem happened when the textarea tags were escaped by my payload rather than the mobile phone preview

邹景立

commented 2 years ago

Maintainer

I already know the problem. Now I'm going to XSS filter the submitted data and delete the on* and script of all elements.

邹景立

commented 2 years ago

Maintainer

Execute the following command to resolve the problem:

composer update

php think xadmin:install wechat

邹景立 marked this as fixed with commit c1d724 2 years ago

邹景立 has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation

We have contacted a member of the zoujingli/thinkadmin team and are waiting to hear back 2 years ago

邹景立 validated this vulnerability 2 years ago

lethanhphuc has been awarded the disclosure bounty

The fix bounty is now up for grabs

邹景立

commented 2 years ago

Maintainer

HTML needs to be parsed during mobile phone preview. Only HTML executable script filtering can be done here.

lethanhphuc

commented 2 years ago

Researcher

I noticed this problem happened when the textarea tags were escaped by my payload rather than the mobile phone preview

邹景立

commented 2 years ago

Maintainer

I already know the problem. Now I'm going to XSS filter the submitted data and delete the on* and script of all elements.

邹景立

commented 2 years ago

Maintainer

Execute the following command to resolve the problem:

composer update

php think xadmin:install wechat

邹景立 marked this as fixed with commit c1d724 2 years ago

邹景立 has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation