| Title | Xinhu Xinhu OA V2.7.1 JSONP Injection |
|---|
| Description | The rockfun.php file of Xinhu OA V2.7.1 version has security vulnerabilities. This vulnerability stems from the system's lack of necessary security filtering and escaping in handling callback parameters.
The code logic is as follows:
PHP
if(! isempt($callback)){
echo ''.$callback.'('.$result.')';
}else{
echo $result;
}
exit();
The program directly concatenates the $callback variable input by the user into the response body for output. Attackers can execute arbitrary scripts in the context of the victim's browser by constructing malicious JavaScript code as callback parameters. Although the authorities may consider it "insignificant", in actual scenarios, this vulnerability can be exploited to bypass the same-origin Policy (SOP) to obtain sensitive data or launch attacks against administrators.
Advisory/Exploit (Details and POC)
Vulnerable File: rockfun.php
Vulnerable Parameter: callback
Proof of Concept (POC): Attackers can direct victims to visit the following malicious links:
http://[target]/api.php?callback=<script>alert('xss_test')</script>
(note: The POC in the original material is >alert('xss_test')>, which is an environment that utilizes HTML tag closure or direct injection of scripts.
Company official website URL: http://www.rockoa.com/
Source code download address:http://www.rockoa.com/index.php?a=down&id=298 |
|---|
| User | BlackSpdier (UID 89912) |
|---|
| Submission | 12/28/2025 11:13 (3 months ago) |
|---|
| Moderation | 01/04/2026 18:56 (7 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 339494 [Xinhu Rainrock RockOA up to 2.7.1 API rockfun.php callback cross site scripting] |
|---|
| Points | 17 |
|---|