Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

In the latest version.It allows XSS attack, which lead to any Javascript Code execution. Such as any url redirect, and send comment without Verification code #218

Closed
MiluOWO opened this issue Nov 6, 2019 · 2 comments

Comments

@MiluOWO
Copy link

@MiluOWO MiluOWO commented Nov 6, 2019

An issue was discovered in Valine v1.3.10. It allows XSS attack, which lead to any Javascript Code execution. Such as any url redirect.

  1. XSS

payload:

<details open ontoggle=top[8680439..toString(30)](1);>
1

When the payload is pasted in comment area, the js code is repeat executed, and if you post it with Burp or any tools, this payload will become a storage xss in this page.

By this xss, you can direct any url you want.

payload:

<details open ontoggle=window.location.replace('https://www.google.com');>

Fix the vulnerability: please use html entity encode

  1. bypass Verification code to send comment

In this comment system, if you catch this http data pack, you can send any comment without verification code. Even you can fake you comment time、ua、..etc

2

@xCss
Copy link
Owner

@xCss xCss commented Nov 19, 2019

Received and will be fixed in the near future. Thanks for feedback

@xCss
Copy link
Owner

@xCss xCss commented Apr 10, 2020

fixes in v1.4.0

@xCss xCss closed this as completed Apr 10, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants