Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Two Cross Site Scripting vulnerability in latest release #44

Closed
deFming opened this issue Apr 9, 2019 · 2 comments
Closed

Two Cross Site Scripting vulnerability in latest release #44

deFming opened this issue Apr 9, 2019 · 2 comments

Comments

@deFming
Copy link

deFming commented Apr 9, 2019

1.A Cross-site scripting on Add plugin

Description

Cross-site scripting (XSS) vulnerability in /app/templates/base.html line 112 .
{{ plugin.content | safe }}
Use jinja2's safe tag to allow plugin content to be escaped and not filtered, resulting in Cross-site scripting (XSS) vulnerability

Steps To Reproduce:

After the administrator logged in.
Url :http://192.168.195.164:8080/admin/custom/blog-plugin/add
Data :csrf_token=1554792968%23%235f35bd58e994cc0ff9ee605d573442dc898ff6fc&title=plugin+xss&note=test&content=<svg/onload=alert(1)>
image
back to the homepage
image
image

2.A Cross-site scripting on Add Article

Description

Cross-site scripting (XSS) vulnerability in /app/templates/article_detials.html line 14 .
{{ article.content | safe }}
Use jinja2's safe tag to allow plugin content to be escaped and not filtered, resulting in Cross-site scripting (XSS) vulnerability

Steps To Reproduce:

After the administrator logged in.
URL http://192.168.195.164:8080/admin/submit-articles
Data: csrf_token=1554793565%23%239ed010b3b0416557e2930cd0cc53c334f9f3f8ca&source=1&title=Article+xss&content=<svg/onload=alert(3)>&types=1&summary=test
image

back to the homepage and Click on article ,this will trigger xss
http://192.168.195.164:8080/article-detials/2
image

@imlonghao
Copy link
Collaborator

首先感谢您的关注。

个人觉得您提出的这个问题,「问题真实存在但影响不大」

后台这两个地方的设计主要是有时候管理员需要直接使用 HTML 代码,因此这个地方的确也能插 XSS 代码

影响不大的原因有以下几点:

  1. 该问题使用前提要求攻击者拿到管理员的帐号和密码,才能进入后台执行管理员的操作,攻击前置要求高。
  2. 本项目为单用户个人博客系统,即便是产生了这个XSS,对其他注册用户影响也不大(因为是单用户的)。

(类比 WordPress 的话,管理员帐号密码如果泄漏了,甚至还可以后台 getshell 。)

因此还是建议保管好管理员的帐号和密码

@deFming
Copy link
Author

deFming commented Apr 9, 2019

jinja2那里没必要使用safe标签,还是希望你能修复

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants