| عنوان | Yonyou UFIDA ERP-NC V5.0 Cross Site Scripting |
|---|
| الوصف | Summary
Yonyou UFIDA ERP-NC V5.0 contains two reflected Cross-Site Scripting (XSS) vulnerabilities in the login.jsp page. These vulnerabilities arise due to improper handling of user-supplied input in the key and redirect parameters. An attacker can exploit these vulnerabilities by crafting a malicious URL to inject arbitrary JavaScript code, which will be executed in the context of the victim's browser.
Image
Details
The vulnerabilities are located in the login.jsp page, where the key and redirect parameters are directly embedded into the HTML without proper sanitization or escaping. The affected code is as follows:
···
LOGINKEY='<%=request.getParameter("key")==null?"":request.getParameter("key")%>'
redirect='<%=request.getParameter("redirect")==null?"Y":request.getParameter("redirect")%>' />
···
<EMBED type="application/x-java-applet;version=1.5"
name="NCApplet" width="${sWidth}" height="${sHeight}"
pluginspage="http://java.sun.com/products/plugin/"
java_code="nc.ui.sm.login.AppletContainer.class"
java_archive="<%=clientJarPath%>"
java_arguments="-Xmx256m"
scriptable="true" MAYSCRIPT="true"
boxbgcolor="#ffffff" LOGINUITYPE="<%=LoginRequestInfo.getLoginUIType()%>"
SERVER_WORKINGDIR='<%=LoginRequestInfo.getWorkDir()%>'
ClientHome='<%=System.getProperty("nc.client.location")%>'
SCHEME="<%=request.getScheme()%>"
SERVER_HOST_NAME="<%=request.getServerName()%>"
SERVER_IP="<%=serverName%>"
SERVER_PORT="<%=port%>"
clienttype="<%=clientType%>"
CONTEXT_PATH="<%=request.getContextPath()%>"
USER_WIDTH="${sWidth}"
USER_HEIGHT="${sHeight}"
isClientCacheCode="${param.iecache}"
autoTest="${param.autotest}"
AT_SERVER_PORT='<%=System.getProperty("SERVER_PORT")%>'
ACCOUNT="<%=LoginRequestInfo.getAccoutInfo()%>"
SERVERTIME="<%=LoginRequestInfo.getServerTime()%>"
LOGINKEY='<%=request.getParameter("key")==null?"":request.getParameter("key")%>'
redirect='<%=request.getParameter("redirect")==null?"Y":request.getParameter("redirect")%>' />
···
In this code, the key and redirect parameters are retrieved from the user input and directly inserted into the HTML output. This allows an attacker to inject malicious JavaScript code by manipulating these parameters.
Proof of Concept (PoC)
http(s)://target-ip/login.jsp?key=hebing%27%3E%3Csvg%20onload=alert(document.cookie)%3E
http(s)://target-ip/login.jsp?redirect=hebing%27%3E%3Csvg%20onload=alert(document.cookie)%3E
|
|---|
| المصدر | ⚠️ https://github.com/Hebing123/cve/issues/84 |
|---|
| المستخدم | jiashenghe (UID 39445) |
|---|
| ارسال | 10/03/2025 06:21 AM (1 سنة منذ) |
|---|
| الاعتدال | 24/03/2025 12:29 PM (14 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 300730 [Yonyou UFIDA ERP-NC 5.0 /login.jsp key/redirect البرمجة عبر المواقع] |
|---|
| النقاط | 20 |
|---|