Total.js, Cross-Site Scripting
2022-03-01 12:51:45

Summary

The total.js Platform offers you an excellent and stable server-side Node.js framework, client-side library for creating famous web applications with more than 250 UI components for free.

I discovered the stored xss vulnerability in this open source.

Analysis

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
			var parent = item.parent;
			var path = item.name;
			var is = false;
+			var cache = {};
+			var sub;
			while (parent) {
-				var sub = response.items.findItem('id', parent);
-				if (!sub || sub.url === '/' || sub.id === parent)
+				sub = response.items.findItem('id', parent);
+				if (!sub || sub.url === '/' || cache[sub.id])
					break;
+				cache[sub.id] = 1;
				path = sub.name + ' / ' + path;
				parent = sub.parent;
				is = true;
@@ -274,7 +277,7 @@

	for (var i = 0; i < arr.length - 1; i++) {
		var path = arr[i];
-		builder.push('<span class="silver">{0} /</span>'.format(path.trim()));
+		builder.push('<span class="silver">{0} /</span>'.format(path.trim().encode()));
	}

	return (builder.length ? (builder.join('')) : '') + arr.last();

This issue was fixed in 95f54a5 commit.

Proof of Concept

1
2
3
4
5
6
PoC : "><img src=x onerror=alert(1)>

1. Install cms of before 95f54a5 commit
2. npm start and open the url
3. Go to Pages of Content
4. Enter the Poc as name of page and Create the page.

Reporting Timeline

  • 2022-02-27 15h 16m : Reported this issue via the github issue
  • 2022-02-27 17h 28m : Added the bug label by @petersirka
  • 2022-03-01 12h 47m : Patched this issue by @petersirka

Reference

Prev
2022-03-01 12:51:45
Next