You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Apr 14, 2021. It is now read-only.
您好:
我是360代码代码卫士的工作人员,在我们的开源项目代码检测过程中,发现SRCMS存在两处CSRF,详细信息如下:
第一处在后台订单删除处(GET型csrf):
可以看到没有防护,可以进行csrf,遍历报告id,可以删除所有的报告。
第二处在系统设置--基础配置处
访问构造的页面,能成功修改配置
其次,我发现cms使用的TP3.2.3中,有已知的框架sql注入没有修复,如TP的order by注入,但由于没有在项目中使用到order(),所以也无法复现。不过由于SRCMS的不断更新,难免不会用到,还是建议修复下好些~~
The text was updated successfully, but these errors were encountered: