search

atjiu / pybbs

更实用的Java开发的社区(论坛),Better use of Java development community (forum)
GNU Affero General Public License v3.0
1.87k stars 711 forks source link

This forum has a large number of xss vulnerabilities #171

Closed retnullyu closed 1 year ago

retnullyu commented 2 years ago

The first is located at the home page search

Enter in the search box11" onclick='alert(/xss/)' image

The second vulnerability is located in the backend

In the topic editor in the background, enter<img src=1 onerror=alert(/xss/)> image image

The third vulnerability is located at the topic search

Enter in the search box " onmouseover='alert(/xss/)' image

and many more

...

atjiu commented 1 year ago

感谢,稍微修复了一些 其实后台的输入框应该不用防的,后台是内部人员使用来管理论坛内容的,总不会自己去注入自己的网站吧 😄

搜索框,发布话题的标题框我都做处理了