Reflected XSS via GET method

XMLWordPrintable

    • Type: Bug
    • Resolution: Unresolved
    • Priority: Normal
    • None
    • Affects Version/s: 6.5.3
    • Component/s: General
    • None

      There is a potential reflected XSS via GET method vulnerability in ZK.
      Vulnerability is in servlet providing file downloading function: /zkau/view/dwnmed-1/.

      Execute anonymous HTTP GET: /zkau/view/dwnmed-1AEC2/%3Cimg%20src%3D%22x%3Ax%22%20onerror%3D%22alert%28122%29%22%3E
      Part of the response body is inlined <img /> from request URI which (if) contains JS, then this JS is executed.

      Another GET example with some known parameters (from client session): /zkau/view/z_x7j/dwnmed-1000/%3cscript%3ealert('PoC AEC XSS Reflected')%3c/script%3e (check attached screenshot)

        1. xss.png
          xss.png
          18 kB
        2. xss.war
          5.13 MB

            Assignee:
            ChunfuChang
            Reporter:
            mixgho
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 4 hours
                4h