Gửi #818342: QianFox FoxCMS 1.2.6 Doubled Character XSS Manipulationsthông tin

tiêu đềQianFox FoxCMS 1.2.6 Doubled Character XSS Manipulations
Mô tả## Vulnerability Title Stored XSS and Missing Server-Side Length Validation in Tag, Tag Group, Hotword Group, and Custom Hotword Features --- ## Vulnerability Type Stored Cross-Site Scripting, Stored XSS Missing input validation / Client-side validation bypass --- ## Affected Modules 1. Tag management 2. Tag group management 3. Hotword group management 4. Custom hotword management --- ## Vulnerability Description The application does not properly validate, filter, or sanitize user input in the tag, tag group, hotword group, and custom hotword features. In addition, when the stored data is rendered on the page, the application does not properly encode the output. As a result, an attacker can store malicious HTML or JavaScript code in the database. When an administrator or another user visits the affected page, the malicious script is executed in the victim’s browser, resulting in stored XSS. Furthermore, although these modules implement input length restrictions on the frontend, the restrictions are enforced only on the client side. An attacker can bypass the length limitation by modifying frontend code, disabling client-side validation, or modifying request parameters. This indicates that the backend lacks proper length validation and input validation. --- ## Proof of Concept ### 1. Stored XSS in Tag Feature Create or edit a tag in the backend and submit the following payload: ```html <img src=x onerror=alert(1)> ``` Or: ```html <input onfocus=alert(1) autofocus> ``` After saving the tag, visit the tag list or tag display page. The JavaScript payload is executed, confirming the stored XSS vulnerability. The length restriction for this field is enforced only on the frontend and can be bypassed. The backend does not properly validate the input length. <img width="816" height="464" alt="Image" src="https://github.com/user-attachments/assets/6ac8b9b0-6309-4bb4-9a12-ee2dff9d1994" /> <img width="1482" height="374" alt="Image" src="https://github.com/user-attachments/assets/fba6fe65-f0db-45c6-ade4-b61fea840d54" /> --- ### 2. Stored XSS in Tag Group Feature Submit the following payload in the tag group name field: ```html <img src=x onerror=alert(1)> ``` Or: ```html <input onfocus=alert(1) autofocus> ``` After saving the tag group, visit the tag group list or detail page. The stored payload is executed in the browser. The length restriction for this field is also only implemented on the frontend and can be bypassed. <img width="1057" height="622" alt="Image" src="https://github.com/user-attachments/assets/9ac60096-c4bf-4321-b504-9e066fe1ef53" /> <img width="1489" height="639" alt="Image" src="https://github.com/user-attachments/assets/6ff2602b-b41d-4946-b868-b3c10c76d33d" /> --- ### 3. Stored XSS in Hotword Group Feature Submit a malicious XSS payload in the hotword group name field. The payload is stored in the database. When the related hotword group page is accessed, the script is executed, resulting in stored XSS. This module also has a frontend-only length restriction. Since frontend validation cannot be considered a security boundary, an attacker can bypass it and submit input longer than expected. The backend does not properly reject such input. <img width="1164" height="945" alt="Image" src="https://github.com/user-attachments/assets/191d4aea-8824-4053-ac07-e2f60c176e99" /> <img width="1631" height="690" alt="Image" src="https://github.com/user-attachments/assets/e33adc7a-ba1e-4f3f-b3cd-7e11504032df" /> --- ### 4. Stored XSS in Custom Hotword Feature Submit malicious HTML or JavaScript code in the custom hotword name or content field and save it. When the custom hotword is displayed on the page, the user-controlled input is rendered as HTML and executed by the browser, resulting in stored XSS. The length restrictions for the custom hotword fields are enforced only on the frontend and can be bypassed by modifying the request. <img width="1260" height="964" alt="Image" src="https://github.com/user-attachments/assets/db46acb9-2f36-4af0-a87f-bd7e0acf1b67" /> <img width="1587" height="642" alt="Image" src="https://github.com/user-attachments/assets/7406dd30-1c7c-42ee-8447-127f7d9ca1e4" /> --- ## Impact Successful exploitation may allow an attacker to: - Steal administrator or user cookies, tokens, or other sensitive information; - Perform actions on behalf of an authenticated administrator; - Modify backend page content and mislead administrators; - Conduct phishing attacks or malicious redirects; - Submit overly long content that may affect page rendering or cause database-related issues; - Chain this vulnerability with other issues to increase impact; - Affect normal users if the stored content is displayed on frontend pages. --- ## Severity Recommended severity: Medium to High If the vulnerability is triggered in the administrator backend and affects privileged accounts, it should be rated as High severity. --- ## Remediation Recommendations 1. **Enforce length validation on the backend** Do not rely only on frontend restrictions. Fields such as tag names, tag group names, hotword group names, and custom hotwords must be validated on the server side. 2. **Implement server-side input allowlisting** Only allow characters required by the business logic, such as Chinese characters, letters, numbers, spaces, underscores, and hyphens. 3. **Encode output properly** User-controlled data must be HTML-encoded before being rendered in pages. 4. **Avoid unsafe rendering methods** Avoid rendering user input with: ```js innerHTML ``` Use safer methods such as: ```js textContent ``` 5. **Use an allowlist-based sanitizer if HTML is required** If HTML content must be supported, use a secure sanitizer and block dangerous event attributes and protocols, such as: - `onerror` - `onload` - `onclick` - `onfocus` - `javascript:` - `data:` 6. **Clean historical malicious data** After fixing the code, review the database and remove or encode any existing malicious tags, group names, or hotwords. 7. **Apply a Content Security Policy, CSP** CSP can reduce the impact of XSS exploitation. --- ## Retesting After Fix Retest with the following payloads: ```html <img src=x onerror=alert(1)> ``` ```html <input onfocus=alert(1) autofocus> ``` Also retest by attempting to bypass the frontend length restriction. Expected results: - The backend rejects overly long input; - The backend rejects illegal characters or dangerous HTML content; - JavaScript is not executed; - Malicious content is either encoded as plain text or blocked; - Backend validation remains effective even if frontend restrictions are bypassed; - Existing malicious historical data no longer triggers XSS.
Nguồn⚠️ https://github.com/QianFox/FoxCMS/issues/2
Người dùng
 lzihan (UID 97871)
Đệ trình03/05/2026 06:30 (cách đây 1 tháng)
Kiểm duyệt26/05/2026 18:23 (23 days later)
Trạng tháiđược chấp nhận
Mục VulDB365681 [QianFox FoxCMS đến 1.2.6 Administrator Backend /Tag/edit Tập lệnh chéo trang]
điểm20

TrướcTổng QuanTiếp theo

Do you need the next level of professionalism?

Upgrade your account now!