HadSky v7.6.3 has been found to have a stored XSS vulnerability. This issue occurs because the application fails to properly sanitize input passed via the 'url' parameter to the 'remotelink' function.
Details
An attacker can exploit this weakness via a crafted HTTP request like so:https://your-ip/index.php?c=app&a=puyuetianeditor:index&s=remotelink&url=%0d</script><script>alert(document.cookie)</script>
This request results in a link ID generation (for instance, ID = 36).
The attacker can then lure a user to visit this link: https://your-ip/index.php?c=app&a=puyuetianeditor:index&s=download&id=36.
The interesting thing about this vulnerability is that we can cause the Location header to disappear by adding %0d to the payload, otherwise this would be an unexploitable vulnerability because the html code would not be executed during the redirect.
The root cause is the lack of input sanitization in the 'remotelink' script, specifically avoiding filtering on the 'url' parameter.
Proof of Concept (POC)
Send the following GET request to the target server:
https://your-ip/index.php?c=app&a=puyuetianeditor:index&s=remotelink&url=%0d</script><script>alert(document.cookie)</script>
Obtain generated link ID and craft new link:
https://your-ip/index.php?c=app&a=puyuetianeditor:index&s=download&id=[OBTAINED_ID]
Distribute crafted link, and the XSS payload executes upon user visitation.
Since HadSky considers the embed tag to be a secure tag, we can even exploit this stored XSS vulnerability to trigger it in the Article.
This vulnerability allows an attacker to execute any arbitrary HTML code in the context of the victim's browser session. The script could be used to steal user credentials, perform actions on the user's behalf, or even deface the website, depending on what the payload contains. The severity of this vulnerability is high, given that it permits a complete bypass of standard security measures.
Hebing123
commented
6 months ago
Summary
HadSky v7.6.3 has been found to have a stored XSS vulnerability. This issue occurs because the application fails to properly sanitize input passed via the 'url' parameter to the 'remotelink' function.
Details
An attacker can exploit this weakness via a crafted HTTP request like so:
The attacker can then lure a user to visit this link: 
The interesting thing about this vulnerability is that we can cause the Location header to disappear by adding %0d to the payload, otherwise this would be an unexploitable vulnerability because the html code would not be executed during the redirect.
https://your-ip/index.php?c=app&a=puyuetianeditor:index&s=remotelink&url=%0d</script><script>alert(document.cookie)</script>This request results in a link ID generation (for instance, ID = 36).https://your-ip/index.php?c=app&a=puyuetianeditor:index&s=download&id=36.The root cause is the lack of input sanitization in the 'remotelink' script, specifically avoiding filtering on the 'url' parameter.
Proof of Concept (POC)
Send the following GET request to the target server:
https://your-ip/index.php?c=app&a=puyuetianeditor:index&s=remotelink&url=%0d</script><script>alert(document.cookie)</script>Obtain generated link ID and craft new link:https://your-ip/index.php?c=app&a=puyuetianeditor:index&s=download&id=[OBTAINED_ID]Distribute crafted link, and the XSS payload executes upon user visitation.Since HadSky considers the embed tag to be a secure tag, we can even exploit this stored XSS vulnerability to trigger it in the
Article.Impact
This vulnerability allows an attacker to execute any arbitrary HTML code in the context of the victim's browser session. The script could be used to steal user credentials, perform actions on the user's behalf, or even deface the website, depending on what the payload contains. The severity of this vulnerability is high, given that it permits a complete bypass of standard security measures.