CVE-2024-30884
📋 TL;DR
This is a reflected Cross-Site Scripting (XSS) vulnerability in Discuz! forum software that allows attackers to inject malicious scripts via the primarybegin parameter in misc.php. When exploited, it can enable arbitrary code execution and sensitive information theft. All Discuz! X3.4 installations running version 20220811 are affected.
💻 Affected Systems
- Discuz!
📦 What is this software?
Discuzx by Discuz
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, take over admin accounts, deface websites, install backdoors, or redirect users to malicious sites, potentially leading to complete system compromise.
Likely Case
Attackers will typically use this to steal user session cookies and credentials, perform phishing attacks, or deface the forum interface through script injection.
If Mitigated
With proper input validation and output encoding, the attack would be prevented, though the vulnerable parameter would still exist.
🎯 Exploit Status
The vulnerability is publicly documented with proof-of-concept available. Exploitation requires tricking users into clicking malicious links but doesn't require authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: X3.4 20220811 with security patch or later version
Vendor Advisory: https://github.com/Hebing123/cve/issues/28
Restart Required: No
Instructions:
1. Download the latest Discuz! X3.4 version or security patch. 2. Backup your current installation. 3. Replace the vulnerable misc.php file with the patched version. 4. Verify the fix by testing the primarybegin parameter.
🔧 Temporary Workarounds
Input Validation Filter
allAdd server-side validation to sanitize the primarybegin parameter before processing
Modify misc.php to add: $primarybegin = htmlspecialchars($_GET['primarybegin'], ENT_QUOTES, 'UTF-8');
Web Application Firewall Rule
allBlock malicious XSS payloads targeting the primarybegin parameter
Add WAF rule: Block requests containing <script> tags or javascript: in primarybegin parameter
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to prevent script execution from untrusted sources
- Deploy a web application firewall (WAF) with XSS protection rules specifically for the misc.php endpoint
🔍 How to Verify
Check if Vulnerable:
Test by accessing: http://your-site.com/misc.php?primarybegin=<script>alert('test')</script> and check if script executesCheck Version:
Check Discuz! admin panel or view source code for version informationVerify Fix Applied:
Repeat the test with the same payload - script should not execute and input should be properly encoded📡 Detection & Monitoring
Log Indicators:
- Unusual GET requests to misc.php with script tags in primarybegin parameter
- Multiple failed XSS attempts in web server logs
Network Indicators:
- HTTP requests containing <script> or javascript: in query parameters
- Unusual traffic patterns to misc.php endpoint
SIEM Query:
source="web_logs" AND uri="*/misc.php*" AND (query="*<script>*" OR query="*javascript:*")