There is an xss vulnerability in app/Controller/User/Index.php

lizhipay / acg-faka

个人发卡源码，发卡系统，二次元发卡系统，二次元发卡源码，发卡程序，动漫发卡，PHP发卡源码，异次元发卡

MIT License

3.5k stars 690 forks source link

There is an xss vulnerability in app/Controller/User/Index.php #72

Closed N0boy-0 closed 11 months ago

N0boy-0 commented 1 year ago

Get the base64 encode parameter in Index.php, which can successfully bypass the WAF and cause it to be rendered on the page. xss1 xss2 payload: a=";alert(123);"&b=";alert(123);" We need to base64 encode the payload as a parameter. /?code=YT0iO2FsZXJ0KDEyMyk7IiZiPSI7YWxlcnQoMTIzKTsi xss3

lizhipay commented 11 months ago

已修复，感谢反馈。