Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Possible XSS vilnerability #2

Open
enferas opened this issue Nov 12, 2021 · 2 comments
Open

Possible XSS vilnerability #2

enferas opened this issue Nov 12, 2021 · 2 comments

Comments

@enferas
Copy link

enferas commented Nov 12, 2021

Hello,

I would like to report to XSS vulnerability.

The path of the vulnerability.

In file Application/Home/Controller/GoodsController.class.php, line 21

public function postGoods(){
		$postData = $_POST;
		$add=true;
		$this->upload($postData,$add);  
	}

line 53

public function upload($postData,$isAdd){
	    //...
	    	$add['title']=$postData['title'];
	    	$add['price']=$postData['price'];
	    	$add['img']=$info['picture']['savepath'].$info['picture']['savename'];

	    	if($isAdd){
	    		$this->addGoods($add);
	    	}
          //...
	    }
	}

line 77

public function addGoods($addGoods){
		// ...
		if($result >= 0){
			$data=array(
				code=>'0',
				msg=>'添加成功',
				data=>$addGoods
			);
			$this->ajaxReturn($data);
		}
               // ...
	}

In file ThinkPHP/Mode/Api/Controller.class.php
line 55

protected function ajaxReturn($data,$type='') {
        if(empty($type)) $type  =   C('DEFAULT_AJAX_RETURN');
        switch (strtoupper($type)){
            case 'JSON' :
                // 返回JSON数据格式到客户端 包含状态信息
                header('Content-Type:application/json; charset=utf-8');
                exit(json_encode($data));
            case 'XML'  :
                // 返回xml格式数据
                header('Content-Type:text/xml; charset=utf-8');
                exit(xml_encode($data));
            case 'JSONP':
                // 返回JSON数据格式到客户端 包含状态信息
                header('Content-Type:application/json; charset=utf-8');
                $handler  =   isset($_GET[C('VAR_JSONP_HANDLER')]) ? $_GET[C('VAR_JSONP_HANDLER')] : C('DEFAULT_JSONP_HANDLER');
                exit($handler.'('.json_encode($data).');');  
            case 'EVAL' :
                // 返回可执行的js脚本
                header('Content-Type:text/html; charset=utf-8');
                exit($data);            
        }
    }

exit function will terminate the script and print a message to the user. Then there is XSS vulnerability because it contains values from $_POST.

@enferas
Copy link
Author

enferas commented Dec 2, 2021

CVE-2021-43689 is assigned to this discovery.

manage (last update Oct 24, 2017) is affected by is affected by a Cross Site Scripting (XSS) vulnerability in Application/Home/Controller/GoodsController.class.php. The exit function will terminate the script and print a message which have values from $_POST.

@2734750898
Copy link

CVE-2021-43689 is assigned to this discovery.

manage(最后更新日期:24 年 2017 月 <> 日)受到应用程序/主页/控制器/货物控制器.class.php中跨站点脚本 (XSS) 漏洞的影响。exit 函数将终止脚本并打印值从 $_POST 起的消息。

我想知道这个xss的漏洞怎么修复的,我认为是是需要把这个post提交的数据,转换一下类型,不知道对不对,还是以什么方式阻止xss呢?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants