thinkphp-bjyblog
thinkphp-bjyblog copied to clipboard
Possible XSS vulnerability
Hello,
I would like to report XSS vulnerability.
In file AdminBaseController.class.php line 20
redirect(U('Admin/Login/login'));
In file https://github.com/baijunyao/thinkphp-bjyblog/blob/master/ThinkPHP/Mode/Api/functions.php
line 869 function U
$domain = $host.(strpos($host,'.')?'':strstr($_SERVER['HTTP_HOST'],'.'));
function U
// line 999
$url = (is_ssl()?'https://':'http://').$domain.$url;
// line 1003
return $url;
function redirect
// line 694
$url = str_replace(array("\n", "\r"), '', $url);
// line 707
$str = "<meta http-equiv='Refresh' content='{$time};URL={$url}'>";
// line 709
exit($str);
exit function will terminate the script and print the message to the user which has $_SERVER['HTTP_HOST']. Then there is XSS vulnerability.
Fixed, thank you very much.
Thank you for your response.
CVE-2021-43682 is assign to this discovery.
thinkphp-bjyblog is affected by a Cross Site Scripting (XSS) vulnerability in AdminBaseController.class.php. The exit function will terminate the script and print the message to the user which has $_SERVER['HTTP_HOST'].
Similar sinks that I can see there is a source pass to them (Possible vulnerabilities).
In file https://github.com/baijunyao/thinkphp-bjyblog/blob/master/ThinkPHP/Mode/Api/Controller.class.php
// line 61
exit(json_encode($data));
// line 69
$handler = isset($_GET[C('VAR_JSONP_HANDLER')]) ? $_GET[C('VAR_JSONP_HANDLER')] : C('DEFAULT_JSONP_HANDLER');
exit($handler.'('.json_encode($data).');');
In file https://github.com/baijunyao/thinkphp-bjyblog/blob/master/ThinkPHP/Library/Think/Controller.class.php
//line 216
exit(json_encode($data,$json_option));
//line 224
$handler = isset($_GET[C('VAR_JSONP_HANDLER')]) ? $_GET[C('VAR_JSONP_HANDLER')] : C('DEFAULT_JSONP_HANDLER');
exit($handler.'('.json_encode($data,$json_option).');');