DuxCMS3 icon indicating copy to clipboard operation
DuxCMS3 copied to clipboard

Published 20 hours ago verified publisher icon duxphp

There is a storage XSS vulnerability in adding articles in DuxCMS3.1.3Beta4 background.

Open czheisenberg opened this issue 8 months ago • 0 comments

Project address: https://github.com/duxphp/DuxCMS3/ Preparation: log in to the background.

Vulnerability URL: http://127.0.0.1:8093/s/article/Content/add? image

POC:

POST http://127.0.0.1:8093/s/article/Content/add? HTTP/1.1
Host: 127.0.0.1:8093
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 328
Origin: http://127.0.0.1:8093
Connection: close
Referer: http://127.0.0.1:8093/s/article/Content/add?
Cookie: PHPSESSID=af75la6jq4hp11pn3gv4ttj15o
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=1


class_id=1&title=<script>alert('title')</script>&sub_title=2&image="><img%20src=x%20onerror=alert('img')>&auth=%3Cscript%3Ealert('auth')%3C%2Fscript%3E&sort=2&virtual_view=3&content=<script>alert('content')</script>&keyword=<script>alert('keyword')</script>&description=<script>alert('description')</script>&status=1&article_id=

Tested: title, image, auth, content, description did not check the input.Direct insertion into the database results in a storage-based XSS vulnerability.The auth is not displayed on the page so it is not triggered. Visit the home page. http://127.0.0.1:8093/ (you ip and port) Image Image Image

Click on the article Image Image

All of the above parameters are triggered.

Vulnerability code:

app/article/model/ArticleModel.php

Line 64-99.

Image

_ saveBefore() can be inferred from the name that the function is to do some processing before saving.

But this part of the code only determines the existence of content and description parameters. Other parameters do not appear in this part of the code, so other parameters cannot be verified.

And only keyword is specially treated (htmlClear()).

Then we can insert malicious XSS payload.

Take a look at what is saved in the database. Image Title, description, image, auth, save as is, content although there is escape operation, but it is still triggered in the previous page. Only in the keyword parameter, < script > is filtered out.

Image Image When line 75 foreach is executed, < script > and < / script > are removed. Image

From the return value, you can see that the keyword is processed. That is to say: the _ saveBefore () function is used to do some processing before saving, but only with keyword and no other parameters. So other parameters accept malicious code that leads to this vulnerability.

czheisenberg avatar Jun 11 '24 03:06 czheisenberg