Description

HAXcms Has Stored XSS Vulnerability that May Lead to Account Takeover

Summary

Stored XSS Leading to Account Takeover

Details

The Exploit Chain: 1.Upload: The attacker uploads an .html file containing a JavaScript payload. 2.Execution: A logged-in administrator is tricked into visiting the URL of this uploaded file. 3.Token Refresh: The JavaScript payload makes a fetch request to the /system/api/refreshAccessToken endpoint. Because the administrator is logged in, their browser automatically attaches the haxcms_refresh_token cookie to this request. 4.JWT Theft: The server validates the refresh token and responds with a new, valid JWT access token in the JSON response. 5.Exfiltration: The JavaScript captures this new JWT from the response and sends it to an attacker-controlled server. 6.Account Takeover: The attacker now possesses a valid administrator JWT and can take full control of the application.

Vulnerability recurrence:

Then we test access to this html

You can obtain other people's identity information

PoC

POST /system/api/saveFile?siteName=yu&site_token=neWmRyvNbCCwiQ7MP2ojAjVMk-HtjlKYNOqsQjLt3RQ&jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6IlVqUzd6NFRFano1Q2xUMERiNnU0RmFROWJZSXgyMjd5OHN2NzRWb1hLbFkiLCJpYXQiOjE3NTUyNDYxODYsImV4cCI6MTc1NTI0NzA4NiwidXNlciI6ImFkbWluIn0.XrXr427aKbyw97aDjD2OX128DznGtw_CHMALAeodb0M HTTP/1.1 Host: 192.168.1.72:8080 Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW Connection: close Content-Length: 1128

------WebKitFormBoundary7MA4YWxkTrZu0gW Content-Disposition: form-data; name="bulk-import"

true ------WebKitFormBoundary7MA4YWxkTrZu0gW Content-Disposition: form-data; name="file-upload"; filename="files/pwn1116.html" Content-Type: text/plain

Processing your request...

Impact

The attacker now possesses a valid administrator JWT and can take full control of the application.

Mitigation

Aliases

References