ForestBlog存在前台存储型xss漏洞可获取所有用户包括管理员的账号密码(ForestBlog has a front-end storage type xss vulnerability, which can obtain the account passwords of all users, including administrators)

[ghtwf01]

首先进入注册页面，昵称为任意的javascript代码，我这里以<script>alert(document.cookie)</script>为例获取cookie，真实的利用是将document.cookie的内容通过http请求发送到攻击者远程服务器保存，因为cookie里面包含用户名密码，所以xss攻击成功时攻击者也就获取到了用户/管理员的账号密码
English:First enter the registration page, the nickname is any javascript code, here I take <script>alert(document.cookie)</script> as an example to get the cookie. The real use is to send the content of document.cookie to the attacker through an http request The remote server saves, because the cookie contains the username and password, so when the xss attack is successful, the attacker also obtains the user/administrator's account password

注册完成后随便进入一篇文章随便评论
English:After the registration is completed, you can enter an article and comment at will

这个时候以下情况会触发xss：
English:At this time, the following conditions will trigger xss:
1.由于管理员界面会展示近期评论，故管理员登陆后台时会立即触发xss
English:1.Since the administrator interface will display recent comments, xss will be triggered immediately when the administrator logs in to the background


2.由于博客主页也会展示近期评论，故所有用户/管理员访问博客主页时会立即触发xss
English:2.Since the blog homepage also displays recent comments, xss is triggered immediately when all users/admins visit the blog homepage


3.由于攻击者在文章下面评论了，所以访问该文章也会立即触发xss
English:3.Since the attacker commented under the article, accessing the article also immediately triggers xss

故该漏洞危害非常大影响范围非常广利用难度非常低，除了获取所有用户/管理员的cookie外由于这儿的js代码是攻击者可以自定义的，恶意跳转等破坏站点完整性的情况也是存在的
English:Therefore, the vulnerability is very harmful and has a very wide scope of influence, and the difficulty of utilization is very low. In addition to obtaining the cookies of all users/administrators, since the js code here can be customized by the attacker, malicious jumps and other situations that destroy the integrity of the site also exist. of
修复建议：
English:Repair suggestion:
1.引入CSP策略，限制脚本加载(推荐，看之前也出现过很多次xss漏洞，一处一处修也麻烦，可能还有未知的地方存在xss，引入CSP并正确配置后XSS就可以全部避免)，次一点的办法是对用户输入的内容进行输出时进行html实体编码
English:1. Introduce CSP strategy to limit script loading (recommended, there have been many xss loopholes before, it is troublesome to repair one by one, there may be xss in unknown places, XSS can be completely avoided after CSP is introduced and configured correctly) , the next method is to perform html entity encoding when outputting the content input by the user
2.cookie中不存储明文的账号密码
English:2. The account password in plain text is not stored in the cookie