Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

You code has a Stored-XSS Vulnerability in the backstage #1

Closed
zhouxingixng opened this issue Jan 10, 2019 · 2 comments
Closed

You code has a Stored-XSS Vulnerability in the backstage #1

zhouxingixng opened this issue Jan 10, 2019 · 2 comments

Comments

@zhouxingixng
Copy link

1、Login the backstage
http://127.0.0.1/root/run/adm.php

default

payload:fm[instop][note]='"/></script><script>alert(1)</script>

fix:

  1. Strictly verify user input, you must perform strict checks and html escape escaping on all input scripts, iframes, etc. The input here is not only the input interface that the user can directly interact with, but also the variables in the HTTP request in the HTTP request, the variables in the HTTP request header, and so on.
  2. Verify the data type and verify its format, length, scope, and content.
  3. Not only need to be verified on the client side but also on the server side.
  4. The output data should also be checked. The values in the database may be output in multiple places on a large website. Even if the input is coded, the security check should be performed at the output points.
@peacexie
Copy link
Owner

git:440@2019-01-10
Fix:Stored-XSS Vulnerability(in the backstage)
b34dc3a

@peacexie peacexie added the bug label Jan 10, 2019
@peacexie
Copy link
Owner

Maybe some other place has this bug too?
I'll check them carefully at the NEXT edition.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants