imlonghao
commented
5 years ago 首先感谢您的关注。
个人觉得您提出的这个问题,「问题真实存在但影响不大」
后台这两个地方的设计主要是有时候管理员需要直接使用 HTML 代码,因此这个地方的确也能插 XSS 代码
影响不大的原因有以下几点:
- 该问题使用前提要求攻击者拿到管理员的帐号和密码,才能进入后台执行管理员的操作,攻击前置要求高。
- 本项目为单用户个人博客系统,即便是产生了这个XSS,对其他注册用户影响也不大(因为是单用户的)。
(类比 WordPress 的话,管理员帐号密码如果泄漏了,甚至还可以后台 getshell 。)
因此还是建议保管好管理员的帐号和密码
deFming
1.A Cross-site scripting on Add plugin
Description
Cross-site scripting (XSS) vulnerability in /app/templates/base.html line 112 . {{ plugin.content | safe }} Use jinja2's safe tag to allow plugin content to be escaped and not filtered, resulting in Cross-site scripting (XSS) vulnerability
Steps To Reproduce:
After the administrator logged in. Url :http://192.168.195.164:8080/admin/custom/blog-plugin/add Data :csrf_token=1554792968%23%235f35bd58e994cc0ff9ee605d573442dc898ff6fc&title=plugin+xss¬e=test&content=<svg/onload=alert(1)>
back to the homepage
2.A Cross-site scripting on Add Article
Description
Cross-site scripting (XSS) vulnerability in /app/templates/article_detials.html line 14 . {{ article.content | safe }} Use jinja2's safe tag to allow plugin content to be escaped and not filtered, resulting in Cross-site scripting (XSS) vulnerability
Steps To Reproduce:
After the administrator logged in. URL http://192.168.195.164:8080/admin/submit-articles Data: csrf_token=1554793565%23%239ed010b3b0416557e2930cd0cc53c334f9f3f8ca&source=1&title=Article+xss&content=<svg/onload=alert(3)>&types=1&summary=test
back to the homepage and Click on article ,this will trigger xss http://192.168.195.164:8080/article-detials/2