Jfinal cms comment stored XSS

## Jfinal cms comment stored XSS ### Vulnerability Introduction Jfinal cms, using the simple and powerful JFinal as the web framework, the template engine is beetl, the database uses mysql, front-end bootstrap, flat ui and other frameworks. Support multi-site, oauth2 authentication, account registration, password encryption, comments and replies, message prompts, website traffic statistics, article comments and pageview statistics, response management, rights management, etc. ### Vulnerability impact - <= v4.7.1 ### Vulnerability analysis The vulnerability trigger point is in `com/jflyfox/modules/front/controller/CommentController.java` ```java public void save() { JSONObject json = new JSONObject(); json.put("status", 2);// 失败 SysUser user = (SysUser) getSessionUser(); if (user == null) { json.put("msg", "没有登录，无法进行评论！"); renderJson(json.toJSONString()); return; } TbComment comment = getModel(TbComment.class); if (StrUtils.isEmpty(comment.getStr("content"))) { json.put("msg", "发布内容不能为空！"); renderJson(json.toJSONString()); return; } // 保存评论 new CommentService().saveComment(user, comment); // 设置返回json json.put("comment_id", comment.getInt("id")); json.put("content", comment.getStr("content")); json.put("title_url", user.getStr("title_url")); json.put("reply_userid", comment.getInt("reply_userid")); json.put("reply_username", UserCache.getUser(comment.getInt("reply_userid")).getUserName()); json.put("create_id", user.getUserid()); json.put("create_name", user.getUserName()); json.put("create_time", comment.getStr("create_time")); json.put("status", 1);// 成功 renderJson(json.toJSONString()); } ``` The user modifies the data, the incoming data is not filtered, stored directly in the database, and finally rendered to the front end, resulting in a storage XSS. ### Vulnerability recurrence 1. The user comments on the article, the incoming data is not filtered, stored directly in the database, and finally rendered to the front end, resulting in a storage XSS. ### Vulnerability recurrence 1. Register a regular user. 2. Add a comment to a published article. 3. Fill in the comments with the xxs payload.  4. Click Publish, use Burpsuite to capture the data.  5. XSS will be triggered when the comment is viewed, and the background management review comment will also be triggered.