jfinal_cms icon indicating copy to clipboard operation
jfinal_cms copied to clipboard
verified publisher icon jflyfox

Issue ID: CVE-2022-33113

Open bharathmohanraj opened this issue 3 years ago • 2 comments

Description: Jfinal CMS v5.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the keyword text field under the publish blog module.

Fixed in any other branch? : Fix doesn't exist in any of the existing branches.

Rootcause: This vulnerability affects an unknown part of the Jfinal CMS component Publish Blog Module. The manipulation of the argument "keyword" with an unknown input leads to a cross site scripting vulnerability. The CWE definition for the vulnerability is CWE-79. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. As an impact it is known to affect integrity. An attacker might be able to inject arbitrary html and script code into the web site. This would alter the appearance and would make it possible to initiate further attacks against site visitors.

Steps to reproduce:

  • There is a stored XSS vulnerability in JFinal_cms 's publish blog module.
  • An attacker can insert malicious XSS code into the "Keyword" field. When the user views the content of the article in the foreground, the malicious XSS code is triggered successfully.
  • payload: " onmouseover="alert(document.cookie)

Additional Findings:

  • As per the CVE-2022-33113, XSS vulnerability is seen in the "Keyword" field. But, the same vulnerability is applicable to "Topic" field as well.

Fix:

  • The fix here is to ensure that the input strings from the portal is sanitized properly to get rid of the html strings/tags.
  • Here, we are making use of Apache common-lang's StringEscapeUtils APIs - escapeHtml() and unescapeHtml().
  • escapeHtml(): Escapes the characters in a String using HTML entities. For example: "bread" & "butter" becomes: "bread" & "butter".
  • unescapeHtml(): Unescapes a string containing entity escapes to a string containing the actual Unicode characters corresponding to the escapes. For example, the string "<Français>" will become "<Français>".
  • The fix is added in "AlertController" and "PersonController" classes in "com.jflyfox.modules.front.controller" packages. Also, "HtmlUtils" class will now expose two utility methods - escapeHtml() and unescapeHtml(), which can be used if required else where.
  • The changes are added here to make use of the escapeHtml() and unescapeHtml() in "HtmlUtils" class for strings specified in "Topic" and "Keyword" fields.

Unit Testing:

  • Verified that the XSS vulnerability is no more applicable for "Topic" and "Keyword" fields.
  • Verified the fix in Chrome, Mozilla and Firefox browsers.

bharathmohanraj avatar Jul 11 '22 06:07 bharathmohanraj

This PR #44 fixes issue #39 and issue #42

bharathmohanraj avatar Jul 11 '22 08:07 bharathmohanraj

@zcool321 Hi George, Could you please review this pull request URL: https://github.com/jflyfox/jfinal_cms/pull/44, and let me know your thoughts? Thanks.

bharathmohanraj avatar Jul 19 '22 16:07 bharathmohanraj

您好,您的来信我已收到!谢谢! Best  Wishes!                                 ——孔祥亮

ElevenKong avatar Oct 11 '22 08:10 ElevenKong