bbs-go icon indicating copy to clipboard operation
bbs-go copied to clipboard

Published 20 hours ago verified publisher icon mlogclub

bbs-go 存储式跨站脚本漏洞2

Open cuiyan142857 opened this issue 1 year ago • 2 comments

漏洞名称 bbs-go 存储式跨站脚本漏洞

受影响实体版本号 bbs-go <= 3.5.5

漏洞类型 存储式跨站脚本

危害等级 中危

漏洞简介 bbs-go是一个使用Go语言搭建的开源社区系统,采用前后端分离技术,Go语言提供api进行数据支撑,用户界面使用Nuxt.js进行渲染,后台界面基于element-ui。 bbs-go存在存储式跨站脚本漏洞,该漏洞源于程序未正确处理来自用户的输入。管理员登录管理端后,在系统设置-网站公告处可以注入恶意javascript脚本,任意用户在前台访问网站时,会触发恶意脚本,导致泄露cookie等信息。 以下产品及版本受到影响:bbs-go <= 3.5.5 bbs-go的下载地址:https://github.com/mlogclub/bbs-go

漏洞验证 前置条件:管理端具有管理员权限 步骤:

  1. 运行bbs-go = 3.5.5环境
  2. 配置burpsuite抓包
  3. 管理员账号admin/123456登录管理端
  4. 系统设置-网站公告处,输入payload

图片

完整请求报文: POST /api/admin/sys-config/save HTTP/1.1 Host: 192.168.111.130:8082 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0 Accept: application/json, text/plain, / Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded X-User-Token: 57581e925fad47688596c13f8a48803d Content-Length: 1382 Origin: http://192.168.111.130:8080 Connection: close Referer: http://192.168.111.130:8080/

config=%7B%22siteTitle%22%3A%22bbs-go%E6%BC%94%E7%A4%BA%E7%AB%99%22%2C%22siteDescription%22%3A%22bbs-go%EF%BC%8C%E5%9F%BA%E4%BA%8EGo%E8%AF%AD%E8%A8%80%E7%9A%84%E5%BC%80%E6%BA%90%E7%A4%BE%E5%8C%BA%E7%B3%BB%E7%BB%9F%22%2C%22siteKeywords%22%3Anull%2C%22siteNavs%22%3A%5B%7B%22title%22%3A%22%E9%A6%96%E9%A1%B5%22%2C%22url%22%3A%22%2F%22%7D%2C%7B%22title%22%3A%22%E8%AF%9D%E9%A2%98%22%2C%22url%22%3A%22%2Ftopics%22%7D%2C%7B%22title%22%3A%22%E6%96%87%E7%AB%A0%22%2C%22url%22%3A%22%2Farticles%22%7D%5D%2C%22siteNotification%22%3A%22%3Cscript%3Ealert%28123%29%3C%2Fscript%3E%22%2C%22recommendTags%22%3Anull%2C%22urlRedirect%22%3Afalse%2C%22scoreConfig%22%3A%7B%22postTopicScore%22%3A1%2C%22postCommentScore%22%3A1%2C%22checkInScore%22%3A1%7D%2C%22defaultNodeId%22%3A1%2C%22articlePending%22%3Afalse%2C%22topicCaptcha%22%3Afalse%2C%22userObserveSeconds%22%3A0%2C%22tokenExpireDays%22%3A365%2C%22loginMethod%22%3A%7B%22password%22%3Atrue%2C%22qq%22%3Atrue%2C%22github%22%3Atrue%2C%22osc%22%3Afalse%7D%2C%22createTopicEmailVerified%22%3Afalse%2C%22createArticleEmailVerified%22%3Afalse%2C%22createCommentEmailVerified%22%3Afalse%2C%22enableHideContent%22%3Afalse%2C%22modules%22%3A%5B%7B%22module%22%3A%22tweet%22%2C%22enabled%22%3Atrue%7D%2C%7B%22module%22%3A%22topic%22%2C%22enabled%22%3Atrue%7D%2C%7B%22module%22%3A%22article%22%2C%22enabled%22%3Atrue%7D%5D%2C%22emailWhitelist%22%3Anull%7D 5. 任意用户访问前台,直接触发XSS:

图片

修复建议 bbs-go\server\controllers\api\config_controller.go:16 增加一行 config.SiteNotification = render.HandleHtmlContent(config.SiteNotification) 同时bbs-go\server\controllers\render\misc_render.go:26中的handleHtmlContent方法名改成公开方法HandleHtmlContent 其他render中引用该方法的也需要改一下方法名 controllers/render/article_render.go:34 controllers/render/article_render.go:36 controllers/render/comment_render.go:71 controllers/render/comment_render.go:73 controllers/render/topic_render.go:76

cuiyan142857 avatar Jun 13 '23 03:06 cuiyan142857

感谢反馈

bbbbbbbbbbbbba avatar Jun 14 '23 07:06 bbbbbbbbbbbbba

倒不如😀 if strings.Contains(v, "script") { v = strings.ReplaceAll(v, "script", "a") }

YspCoder avatar Nov 11 '23 22:11 YspCoder

这个地方只有管理员才能修改。如果管理员想这么配置,我认为可以不限制。

bbbbbbbbbbbbba avatar Mar 01 '24 03:03 bbbbbbbbbbbbba