XSS Vulnerability

[S2eTo]

In AttributeSetFilter, multiple parameters are not XSS filtered cn.keking.web.filter.AttributeSetFilter#setWatermarkAttribute

Parameters are used in commonHeader src/main/resources/web/commonHeader.ftl

The modified template is referenced by multiple template files, among which picture.ftl

This template is used in /picturesPreview cn.keking.web.controller.OnlinePreviewController#picturesPreview

Vulnerability recurrence

/picturesPreview
?urls=aHR0cDovLzE=
&watermarkXSpace=1});}}alert(1);function a(){function b(){return ({//

[gaoxingzaq]

OK, thank you for your feedback

[gaoxingzaq]

String watermarkTxt= KkFileUtils.htmlEscape(request.getParameter("watermarkTxt")); request.setAttribute("watermarkTxt", watermarkTxt != null ? watermarkTxt : WatermarkConfigConstants.getWatermarkTxt()); String watermarkXSpace = KkFileUtils.htmlEscape(request.getParameter("watermarkXSpace")); request.setAttribute("watermarkXSpace", watermarkXSpace != null ? watermarkXSpace : WatermarkConfigConstants.getWatermarkXSpace()); String watermarkYSpace = KkFileUtils.htmlEscape(request.getParameter("watermarkYSpace")); request.setAttribute("watermarkYSpace", watermarkYSpace != null ? watermarkYSpace : WatermarkConfigConstants.getWatermarkYSpace()); String watermarkFont = KkFileUtils.htmlEscape(request.getParameter("watermarkFont")); request.setAttribute("watermarkFont", watermarkFont != null ? watermarkFont : WatermarkConfigConstants.getWatermarkFont()); String watermarkFontsize = KkFileUtils.htmlEscape(request.getParameter("watermarkFontsize")); request.setAttribute("watermarkFontsize", watermarkFontsize != null ? watermarkFontsize : WatermarkConfigConstants.getWatermarkFontsize()); String watermarkColor = KkFileUtils.htmlEscape(request.getParameter("watermarkColor")); request.setAttribute("watermarkColor", watermarkColor != null ? watermarkColor : WatermarkConfigConstants.getWatermarkColor()); String watermarkAlpha = KkFileUtils.htmlEscape(request.getParameter("watermarkAlpha")); request.setAttribute("watermarkAlpha", watermarkAlpha != null ? watermarkAlpha : WatermarkConfigConstants.getWatermarkAlpha()); String watermarkWidth = KkFileUtils.htmlEscape(request.getParameter("watermarkWidth")); request.setAttribute("watermarkWidth", watermarkWidth != null ? watermarkWidth : WatermarkConfigConstants.getWatermarkWidth()); String watermarkHeight = KkFileUtils.htmlEscape(request.getParameter("watermarkHeight")); request.setAttribute("watermarkHeight", watermarkHeight != null ? watermarkHeight : WatermarkConfigConstants.getWatermarkHeight()); String watermarkAngle = KkFileUtils.htmlEscape(request.getParameter("watermarkAngle")); request.setAttribute("watermarkAngle", watermarkAngle != null ? watermarkAngle : WatermarkConfigConstants.getWatermarkAngle());

public static String htmlEscape(String input) {
    if(StringUtils.hasText(input)){
        input = input.replaceAll("\\{", "%7B").replaceAll("}", "%7D");
        return HtmlUtils.htmlEscape(input);
    }
    return input;
}

[S2eTo]

Failed to repair the vulnerability, there is still a cross-site scripting attack vulnerability

/picturesPreview
?urls=aHR0cDovLzE=
&watermarkTxt=123
&watermarkXSpace=eval(`\x65\x76\x61\x6c\x28\x61\x6c\x65\x72\x74\x28\x27\x78\x73\x73\x27\x29\x29`)

Suggested fixes: Add quotes (', ") around parameters, like in the picture

If you need the parameter to be a number, you can use the parseInt/Float() function to parse the result into a number

[gaoxingzaq]

感谢您的支持 水印数字模式全面采用 public static boolean isInteger(String str) { if(StringUtils.hasText(str)){ boolean strResult = str.matches("-?[0-9]+.?[0-9]*"); return strResult ; } return false; } 只判断是否是数字 是就输出 不是就输出默认 if (!KkFileUtils.isInteger(watermarkYSpace)){ watermarkYSpace =null; }

[xulei1112]

好兄弟，我寻思这套代码没有用户，没有cookie，就算有xss也弹不了cookie鸭 @S2eTo

[xulei1112]

百思不得奇迹，能帮我解答一下这问题吗

[AnkioTomas]

好兄弟，我寻思这套代码没有用户，没有cookie，就算有xss也弹不了cookie鸭 @S2eTo

有的网站使用nginx反向代理，将kkfileview融入到自己的内部产品来。

例如 将 /view?url=路径代理到kkfileview服务，此时如果kkfileview服务存在xss，又被nginx反代回来，就会导致主站的cookie或者其他数据泄露。