fileupload.html.dsp has XSS problem

XMLWordPrintable

    • None

      Steps to Reproduce

      1. run the attached zul
      2. open the dev tool
      3. click the upload button, the upload dialog appears
      4. get request url for dsp file like http://localhost:8080/zk3upload/zkau/web/660e7a2d/upload/fileupload.html.dsp?dtid=gjm31&uuid=z_jm_3&max=-1&native=false
      5. append js injection code %0A%2f%2f-%3E%0A%3C%2fscript%3Eipt%3E%0A%3Cimg%20src%3dx%20onerror%3dalert(1)%3E%3C!- after uuid like http://localhost:8080/zk3upload/zkau/web/660e7a2d/upload/fileupload.html.dsp?dtid=gjm31&uuid=z_jm_3%0A%2f%2f--%3E%0A%3C%2fscript%3Eipt%3E%0A%3Cimg%20src%3dx%20onerror%3dalert(1)%3E%3C!--&max=-1&native=false
      6. request the forged URL with a browser

      Current Result

      the javascript is injected into the page and execute alert(1)

      Expected Result

      no javascript executed

            Assignee:
            hawk
            Reporter:
            hawk
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: