一个漏洞: 需要屏蔽一些高权限的邮箱 #10

xiaohuilam · 2020-12-28T17:16:04Z

Lines 33 to 38 in a80cb6c

    
           socket.on('set shortid', function(id) { 
        
             onlines.delete(socket.shortid); 
        
             socket.shortid = id; 
        
             onlines.set(socket.shortid, socket); 
        
             socket.emit('shortid', socket.shortid); 
        
           })

一个漏洞: 需要屏蔽一些高权限的邮箱, 如下:

admin@
administrator@
webmaster@
postmaster@
hostmaster@

根据 webtrust 标准, 屏蔽上述邮箱即可.

否则提供临时邮箱的域名, 会存在被冒签 SSL 的高危漏洞.

POC:

证书地址: https://crt.sh/?id=3842188133

此 SSL 未经过站长授权

denghongcai · 2021-02-17T09:54:28Z

老仓库本意是提供给大家玩用的……
master 分支已添加了默认的限制

denghongcai self-assigned this Feb 17, 2021

denghongcai added the enhancement label Feb 17, 2021

denghongcai closed this as completed Feb 17, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

一个漏洞: 需要屏蔽一些高权限的邮箱 #10

一个漏洞: 需要屏蔽一些高权限的邮箱 #10

xiaohuilam commented Dec 28, 2020 •

edited

Loading

denghongcai commented Feb 17, 2021

一个漏洞: 需要屏蔽一些高权限的邮箱 #10

一个漏洞: 需要屏蔽一些高权限的邮箱 #10

Comments

xiaohuilam commented Dec 28, 2020 • edited Loading

denghongcai commented Feb 17, 2021

xiaohuilam commented Dec 28, 2020 •

edited

Loading