836 Star 2K Fork 1.1K

jflyfox / jfinal_cms

 / 详情

Multiple persistent XSS vulnerabilities

Backlog
Opened this issue  
2020-04-07 19:37

Multiple persistent XSS vulnerabilities exist on the Personal Information Edit page. As follows.

The first step is to go to the personal page to modify personal information, insert payload(<script>alert(1)</script>)

输入图片说明

Step 2 enter the original password and save, and finally refresh the page. The effect can be seen.

输入图片说明
输入图片说明

The vulnerability is harmful in that any page that the user has rated will pop up, and other users will also be affected. The trigger vulnerability can be any user, not necessarily an administrator. Other operations such as administrator cookies can be hit.

Comments (2)

纸光 created任务
纸光 set related repository to jflyfox/jfinal_cms
展开全部操作日志

Test using the official demo site, first register an account, use payload, leave a message on any page, will only show your avatar, if another user visits the page, will send the user's cookie to the specified site.

http://mtg.jflyfox.com/front/article/333.html

输入图片说明


The effect is shown below

输入图片说明

这块是xss攻击问题,需要添加统一拦截器处理,特殊字段还需要支持排除,网上有现成方案;
类似还有XSS,CSRF,SQL注入 可以自行搜索下;

后续可能会考虑加入这些拦截器

Sign in to comment

状态
Assignees
Milestones
Pull Requests
关联的 Pull Requests 被合并后可能会关闭此 issue
Branches
Planed to start   -   Planed to end
-
Top level
Priority
参与者(2)
4777113 samny 1586259559 3244 flyfox 1578914169
Java
1
https://gitee.com/jflyfox/jfinal_cms.git
git@gitee.com:jflyfox/jfinal_cms.git
jflyfox
jfinal_cms
jfinal_cms

Search