xboot icon indicating copy to clipboard operation
xboot copied to clipboard
verified publisher icon Exrick

User's Sensitive Information is included in Cookies

Open NinjaGPT opened this issue 5 months ago • 0 comments

Summary

In the latest version (v3.3.4) of xboot, there are security flaws in the cookie design. Sensitive user information including uid, username, nickname, mobile, email, address, sex, avatar URL, and birthday are all stored in cookies. If these cookies are compromised, attackers can leverage this information to launch more sophisticated attacks such as brute force attacks, social engineering, and phishing.

POC

GET /xboot/permission/getMenuList

Cookie: _ga=GA1.1.1119679874.1749601651; CHAT2DB.USER_ID=2; _ga_V8M4E5SF61=GS2.1.s1749601650$o1$g1$t1749601661$j49$l0$h0; PUBLICCMS_ADMIN=1_98929ca2-feeb-4745-8c8b-83ce96a02974; PUBLICCMS_ANALYTICS_ID=3c11ec88-14ff-4a2d-945e-a76277395bfe; Hm_lvt_1cd9bcbaae133f03a6eb19da6579aaba=1752119531,1752119879,1752126651,1752126882; cms.locale=zh; Hm_lvt_64e52d9ed8f5acc3eb7d60058e2fb7ab=1753156816; Hm_lpvt_64e52d9ed8f5acc3eb7d60058e2fb7ab=1753156816; HMACCOUNT=71B59AD17A941F07; userInfo={%22id%22:%22682265633886208%22%2C%22createBy%22:%22%22%2C%22createTime%22:%222018-05-01%2003:13:51%22%2C%22updateBy%22:%22admin%22%2C%22updateTime%22:%222020-04-30%2004:56:32%22%2C%22delFlag%22:0%2C%22username%22:%22admin%22%2C%22password%22:null%2C%22nickname%22:%22%E7%AE%A1%E7%90%86%E5%91%98%22%2C%22mobile%22:%2218782059031%22%2C%22email%22:%[email protected]%22%2C%22address%22:%22%E5%8C%97%E4%BA%AC%E5%B8%82%2C%E5%B8%82%E8%BE%96%E5%8C%BA%2C%E4%B8%9C%E5%9F%8E%E5%8C%BA%22%2C%22street%22:%22%E5%A4%A9%E5%BA%9C1%E8%A1%97%22%2C%22sex%22:%22%E7%94%B7%22%2C%22passStrength%22:%22%E5%BC%B1%22%2C%22avatar%22:%22https://ooo.0o0.ooo/2019/04/28/5cc5a71a6e3b6.png%22%2C%22type%22:1%2C%22status%22:0%2C%22description%22:%22%E6%88%91%E6%98%AF%E5%A4%A7%E5%B8%85%E9%80%BC%22%2C%22departmentId%22:%2240322777781112832%22%2C%22departmentTitle%22:%22%E6%80%BB%E9%83%A8%22%2C%22birth%22:%222020-04-15%22%2C%22defaultRole%22:null}


decoding the value of userInfo via https://www.urldecoder.org/, we can see the sensitive information of admin's account

{"id":"682265633886208","createBy":"","createTime":"2018-05-01 03:13:51","updateBy":"admin","updateTime":"2020-04-30 04:56:32","delFlag":0,"username":"admin","password":null,"nickname":"管理员","mobile":"18782059031","email":"[email protected]","address":"北京市,市辖区,东城区","street":"天府1街","sex":"男","passStrength":"弱","avatar":"https://ooo.0o0.ooo/2019/04/28/5cc5a71a6e3b6.png","type":1,"status":0,"description":"我是大帅逼","departmentId":"40322777781112832","departmentTitle":"总部","birth":"2020-04-15","defaultRole":null}
Image Image

NinjaGPT avatar Jul 22 '25 10:07 NinjaGPT