Background setting function parameter【bbsmeta】Storage XSS vulnerabilities

[Stellarsss]

First log in to the background and go to the background Settings，（Compare the storage XSS vulnerabilities of chicken ribs） Description here（HTML syntax support），Guess there is an XSS vulnerability，Get the parameter 【bbsmeta】here by grabbing the bag，Trace in the source code

application/controllers/AdminController.php code

This was filtered by addslashes() and htmlspecialchar () Obviously when you insert the data into the database you will have a layer of filtering, and then you will continue to track the specific page output location of this parameter to the following

application/views/index/index.php code

When the page is output here, the following function is made for the parameter 【bbsmeta】to handle htmlspecialchars_decode The storage XSS here results in the storage XSS due to the use ofhtmlspecialchars_decode() function, So through the black box to verify Insert the following test statement in the background and click Update

payload:

The XSS is then accessed directly to the foreground and executed successfully **http://20.20.20.129:8000/zibbs/index.php** Solution： filter or encode special characters like this <

" ' & % ... ... and filter some keyword like this

script javascript

... ... or filter some label function which can run javascript like this onclick onerror onload ... ...

[xujinliang]

3Q，But i think if a people need to access to the backend,and destroy it,then this is not a bug

[Stellarsss]

I think it is difficult to exploit the vulnerability，But，it is recommended to filter dangerous characters such as

[xujinliang]

i think i can't ignore your kindness, I decided to update to github during the 端午 Festival

[Stellarsss]

thank you