Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
1.4.13
Other
Fat Jar
No response
At the function point of uploading the avatar, any file can be uploaded, such as uploading an HTML file, which will cause a stored XSS vulnerability.
the file upload function points.
upload HTML file, show success.
access the HTML file, you can see that it is parsed by the browser.
If you upload malicious XSS code, you will get the user's token, like this
Payload
<script> document.write(localStorage.getItem("halo__Access-Token")); document.write("</br></br>") document.write(localStorage.getItem("halo__USER")); </script>
Analyzing the code, it can be seen that all suffixes can be uploaded, and there is no restriction on the suffix name of the file
Its recommended to only allow the parameter extension to be png.jpeg.jpg.gif.bmp or other image suffixes
extension
The text was updated successfully, but these errors were encountered:
你好,目前此项目仅为单管理员设计,也就意味着目前只有管理员能操作后台。所以目前即便存在这样的问题,暂时我们也不会将优先级提高。
另外,您是否有阅读 https://github.com/halo-dev/halo/blob/master/SECURITY.md
Sorry, something went wrong.
No branches or pull requests
What is version of Halo has the issue?
1.4.13
What database are you using?
Other
What is your deployment method?
Fat Jar
Your site address.
No response
What happened?
At the function point of uploading the avatar, any file can be uploaded, such as uploading an HTML file, which will cause a stored XSS vulnerability.
the file upload function points.
upload HTML file, show success.
access the HTML file, you can see that it is parsed by the browser.
If you upload malicious XSS code, you will get the user's token, like this
Payload
Analyzing the code, it can be seen that all suffixes can be uploaded, and there is no restriction on the suffix name of the file
Its recommended to only allow the parameter
extensionto be png.jpeg.jpg.gif.bmp or other image suffixesRelevant log output
No response
Additional information
No response
The text was updated successfully, but these errors were encountered: