Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

There is a stored XSS in the file upload area #39

Closed
1f3lse opened this issue Sep 18, 2018 · 5 comments
Closed

There is a stored XSS in the file upload area #39

1f3lse opened this issue Sep 18, 2018 · 5 comments

Comments

@1f3lse
Copy link

1f3lse commented Sep 18, 2018

After the file is uploaded correctly, "[abc](/zrlog/attached/file/20180918/20180918000718_50.jpg "abc")" will be displayed in the edit box.Combined with the page display, the XSS purpose is achieved by modifying the display content.
Poc
[click me](aa"onmouseover="alert(1)"s= "click me")

The page is displayed as "<a href="aa" onmouseover="alert(1)" s="title=" click="" me="me">click me</a>"

@94fzb
Copy link
Owner

94fzb commented Sep 19, 2018

@3lse The editor use marked lib as markdown parse lib
image

And you think reasonable way ?

@1f3lse
Copy link
Author

1f3lse commented Sep 19, 2018

@94fzb
There may be problems with the closure of the HTM, but this does not affect the generation of XSS.
e.g.
default

@1f3lse
Copy link
Author

1f3lse commented Sep 19, 2018

@94fzb You need to filter the acquired data on the server before saving to the database.

@94fzb
Copy link
Owner

94fzb commented Sep 19, 2018

@3lse Thanks, i try use jsoup filter sometime unsafe tag

@OS-WS
Copy link

OS-WS commented Dec 17, 2020

Hi, is there a fix for CVE-2018-17421 & CVE-2018-17420?
if so, what are the fixing commits?

@94fzb 94fzb closed this as completed Apr 15, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants