New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

安全问题 #107

Closed
360CodeSafe opened this Issue Dec 29, 2018 · 3 comments

Comments

2 participants
@360CodeSafe
Copy link

360CodeSafe commented Dec 29, 2018

您好:
我是360代码卫士的工作人员,在我们的开源项目代码审计中发现hsweb-framework中存在如下三个安全问题。
一:反射型xss

  1. 问题描述:
    default
    在FlowableModelManagerController.java文件中,接受了uri中的modelld和type参数 ,但由于未作校验(我对swagger不熟,它的注解应该是没有约束力的吧,只是方便生成开发文档?),当modelId不存在时,程序将直接在页面中输出type,导致xss漏洞
  2. 复现步骤:
    由于该框架我没有搭建起来,只是做代码审计,没有复现,如果您对漏洞有疑问,我可以进行复现。后面两个也一样
  3. 日志内容:

二:csrf

  1. 问题描述:
    default
    在OAuth2ClientController.java文件中的callback方法中,用户认证完成后没有将请求中的state参数与session中的state进行对比,恶意攻击者可以通过csrf攻击进行账户劫持。
  2. 复现步骤:
  3. 日志内容:

三:路径遍历导致任意文件读取

  1. 问题描述:
    default
    在FileManagerDevToolsController.java文件中,多个方法中没有对请求中的参数做过滤,导致路径遍历,以read方法为例,攻击者可能通过../进行回溯来读取系统文件/etc/passwd等敏感文件,虽然这些功能应该是只有管理员才能进行的操作,但是正常情况下就算是管理员,框架也不应该允许读取系统文件(毕竟不能保证管理员账号的安全,这只是增加了攻击的成本和难度)。
  2. 复现步骤:
  3. 日志内容:

还望及时修复

@zhou-hao zhou-hao self-assigned this Dec 29, 2018

@zhou-hao zhou-hao added this to To Do in hsweb framework via automation Dec 29, 2018

@zhou-hao zhou-hao added this to the 3.0.5 milestone Dec 29, 2018

@zhou-hao

This comment has been minimized.

Copy link
Member

zhou-hao commented Dec 29, 2018

感谢提交。将尽快修复!!!

zhou-hao added a commit that referenced this issue Dec 29, 2018

zhou-hao added a commit that referenced this issue Dec 29, 2018

@zhou-hao

This comment has been minimized.

Copy link
Member

zhou-hao commented Dec 29, 2018

问题 一,二已修复。

第三个问题。设计就是这样的。

  1. 此接口进行了权限控制,只有有权限的用户才能访问
    image

  2. 此包一般仅用于开发环境

所以此问题暂时忽略。

@360CodeSafe

This comment has been minimized.

Copy link

360CodeSafe commented Dec 29, 2018

好的

@zhou-hao zhou-hao pinned this issue Dec 29, 2018

@zhou-hao zhou-hao unpinned this issue Dec 29, 2018

@zhou-hao zhou-hao closed this Jan 6, 2019

hsweb framework automation moved this from To Do to Done Jan 6, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment