Jeesns Weibo Topic Reflection XSS

基本字段

漏洞编号:
SSV-97950
披露/发现时间:
未知
提交时间:
2019-05-14
漏洞等级:
漏洞类别:
跨站脚本
影响组件:
Jeesns
漏洞作者:
未知
提交者:
Knownsec
CVE-ID:
补充
CNNVD-ID:
补充
CNVD-ID:
补充
ZoomEye Dork:
补充

来源

漏洞详情

贡献者 共获得  0KB

Jeesns Weibo Topic Reflection XSS

Introduction to Vulnerability

JEESNS is a social management system based on JAVA enterprise-level platform. Based on the advantages of enterprise-level JAVA, such as high efficiency, security and stability, it creates a pioneering domestic Java version of open source SNS. JEESNS can be used to build portals, forums, communities, Weibo, Q&A, knowledge payment platform, etc. In Jeesns <= 1.4.2, there are reflection XSS vulnerabilities in the hot spots of Weibo.

Vulnerability Impact

  • Jeesns <= 1.4.2

Vulnerability Analysis

The data submitted by the user foreground will pass XSSFilter, and the doFilter will call XssWrapper.

Package com.lxinet.jeesns.core.utils;

Import java.util.regex.Matcher;
Import java.util.regex.Pattern;
Import javax.servlet.http.HttpServletRequest;
Import javax.servlet.http.HttpServletRequestWrapper;
Import org.springframework.web.util.HtmlUtils;

Public class XssWrapper extends HttpServletRequestWrapper {
    Private static final String REGEX_SCRIPT = "<script[\\s\\S]*?<\\/script>";
    Private static final String REGEX_STYLE = "<style[^>]*?>[\\s\\S]*?<\\/style>";
......

    Public String getParameter(String parameter) {
        String value = super.getParameter(parameter);
        Return value == null ? null : this.cleanXSS(value);
    }

    Public String getHeader(String name) {
        String value = super.getHeader(name);
        Return value == null ? null : this.cleanXSS(value);
    }

    Private String cleanXSS(String value) {
        Value = dealScript(value);
        Value = dealStyle(value);
        String[] eventKeywords = new String[]{"onmouseover", "onmouseout", "onmousedown", "onmouseup", "onmousemove", "onclick", "ondblclick", "onkeypress", "onkeydown", "onkeyup", "ondragstart", "onerrorupdate", "onhelp", "onreadystatechange", "onrowenter", "onrowexit", "onselectstart", "onload", "onunload", "onbeforeunload", "onblur", "onerror", "onfocus ", "onresize", "onscroll", "oncontextmenu", "alert"};

        For(int i = 0; i < eventKeywords.length; ++i) {
            Value = value.replaceAll("(?i)" + eventKeywords[i], "_" + eventKeywords[i]);
        }

        Return value;
    }

    Private static String dealScript(String val) {
        Pattern p = Pattern.compile("<script[\\s\\S]*?<\\/script>");
        Return htmlEscape(p, val);
    }

    Private static String dealStyle(String val) {
        Pattern p = Pattern.compile("<style[^>]*?>[\\s\\S]*?<\\/style>");
        Return htmlEscape(p, val);
    }

    Private static String htmlEscape(Pattern p, String val) {
        String s;
        String newVal;
        For(Matcher m = p.matcher(val); m.find(); val = val.replace(s, newVal)) {
            s = m.group();
            newVal = HtmlUtils.htmlEscape(s);
        }

        Return val;
    }
}

As you can see, the <script> and <style> tags are filtered, and some HTML events are escaped and filtered. However, when matching tags, there is no case processing, which can be bypassed by capitalization.

There are reflection XSS vulnerabilities in the hot spots of Weibo.

Vulnerability recurrence

http://localhost:8080/weibo/topic/%253cScript%253eprompt(xss)%253c%252fScript%253e

共 0  兑换了

PoC

暂无 PoC

参考链接

解决方案

临时解决方案

暂无临时解决方案

官方解决方案

暂无官方解决方案

防护方案

暂无防护方案

人气 1256
评论前需绑定手机 现在绑定

暂无评论

※本站提供的任何内容、代码与服务仅供学习,请勿用于非法用途,否则后果自负