[CVE-2022–34966] OSSN 6.3 LTS — HTML injection Vulnerability at location parameter
Vulnerability Explanation:
OpenTeknik LLC OSSN OPEN SOURCE SOCIAL NETWORK v6.3 LTS was discovered to contain an HTML injection vulnerability via the location parameter.
Attack Vectors:
An attacker can send HTML code through any vulnerable form field to change the design of the website or any information displayed to the user, saving the information persistently on the site (e.g. database). As a result, the user will see the data sent by the attacker every time he calls up the vulnerable page.
Affected Component:
- http://ip_address:port/ossn/home
- POST /ossn/action/wall/post/u?ossn_ts=1656581755&ossn_token=872b18aaf91ff57aa45cf78c14145534d6b84a10a3d2dc42785cbd01b04a4b38
Payload:
<h1>PWNED</h1>Tested on:
- OSSN v6.3 LTS (https://github.com/opensource-socialnetwork/opensource-socialnetwork/releases/tag/6.3)
- Google Chrome Version 103.0.5060.114 (Official Build) (64-bit)
Steps to attack:
- First we Login to the application with username and password. (If you don’t have an account, you can register)
2. After logging into the application then we click on location button as show in the picture .
3. These fields are vulnerable to stored HTML injection, as shown below and then click post tab in bottom line.
4. As can be seen from the following evidence, the content of the injection was correctly saved on the page and executed each time the analytical driver in question is searched or called up internally by the application.
Request:
Response :
Finally!, We get the HTML Injection on Post page .
Bonus payload 😁
<marquee BODY ONSTART=alert('Grim-The-Ripper-Team-by-SOSECURE-Thailand')>=(◕_◕)=Discoverer:
Grim The Ripper Team by SOSECURE Thailand
Reference:
https://www.opensource-socialnetwork.org/
https://github.com/opensource-socialnetwork/opensource-socialnetwork/releases/tag/6.3
https://www.openteknik.com/contact?channel=ossn
