CVE-2021-43682

Vulnerability

The thinkphp-bjyblog application, last updated on June 4, 2021, contains a reflected Cross-Site Scripting (XSS) vulnerability in AdminBaseController.class.php. The redirect function, when called with U('Admin/Login/login'), constructs a URL using $_SERVER['HTTP_HOST'] without sanitization. The exit function then outputs a meta refresh tag containing this URL, directly reflecting the attacker-controlled Host header into the response. All versions up to the last commit are affected, and the repository has been archived and is read-only [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request to any endpoint that triggers the redirect to the admin login page. The attacker sets the Host header to a malicious value containing JavaScript code, such as `. The server responds with a page containing <meta http-equiv='Refresh' content='0;URL=http:///...'>`, which executes the script in the victim's browser. No authentication is required, as the redirect occurs before any access control checks [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, cookie theft, defacement, or actions performed on behalf of the victim. If the victim is an administrator, the attacker may gain full control over the application.

Mitigation

No official fix is available, as the repository has been archived and is no longer maintained. Users should discontinue use of this software or manually sanitize the Host header in the affected code. A workaround is to configure the web server to validate or restrict the Host header to expected values, or deploy a Web Application Firewall (WAF) to block malicious payloads. This vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.