Uploaded image for project: 'ZK'
  1. ZK
  2. ZK-2500

Reflected XSS via GET method

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • 6.5.3
    • General

      There is a potential reflected XSS via GET method vulnerability in ZK.
      Vulnerability is in servlet providing file downloading function: /zkau/view/dwnmed-1/.

      Execute anonymous HTTP GET: /zkau/view/dwnmed-1AEC2/%3Cimg%20src%3D%22x%3Ax%22%20onerror%3D%22alert%28122%29%22%3E
      Part of the response body is inlined <img /> from request URI which (if) contains JS, then this JS is executed.

      Another GET example with some known parameters (from client session): /zkau/view/z_x7j/dwnmed-1000/%3cscript%3ealert('PoC AEC XSS Reflected')%3c/script%3e (check attached screenshot)

        1. xss.war
          5.13 MB
        2. xss.png
          xss.png
          18 kB

            ChunfuChang ChunfuChang
            mixgho mixgho
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 4 hours
                4h