Total.js, Cross-Site Scripting
2022-03-01 12:51:45
Summary
The total.js Platform offers you an excellent and stable server-side Node.js framework, client-side library for creating famous web applications with more than 250 UI components for free.
I discovered the stored xss vulnerability in this open source.
Analysis 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 var parent = item.parent; var path = item.name; var is = false; + var cache = {}; + var sub; while (parent) { - var sub = response.items.findItem('id', parent); - if (!sub || sub.url === '/' || sub.id === parent) + sub = response.items.findItem('id', parent); + if (!sub || sub.url === '/' || cache[sub.id]) break; + cache[sub.id] = 1; path = sub.name + ' / ' + path; parent = sub.parent; is = true; @@ -274,7 +277,7 @@ for (var i = 0; i < arr.length - 1; i++) { var path = arr[i]; - builder.push('<span class="silver">{0} /</span>'.format(path.trim())); + builder.push('<span class="silver">{0} /</span>'.format(path.trim().encode())); } return (builder.length ? (builder.join('')) : '') + arr.last();
This issue was fixed in 95f54a5 commit.
Proof of Concept 1 2 3 4 5 6 PoC : "><img src=x onerror=alert(1)> 1. Install cms of before 95f54a5 commit 2. npm start and open the url 3. Go to Pages of Content 4. Enter the Poc as name of page and Create the page.
Reporting Timeline
2022-02-27 15h 16m : Reported this issue via the github issue
2022-02-27 17h 28m : Added the bug label by @petersirka
2022-03-01 12h 47m : Patched this issue by @petersirka
Reference