manage icon indicating copy to clipboard operation
manage copied to clipboard

Published 20 hours ago verified publisher icon yicenburan

Possible XSS vilnerability

Open enferas opened this issue 3 years ago • 2 comments

Hello,

I would like to report to XSS vulnerability.

The path of the vulnerability.

In file Application/Home/Controller/GoodsController.class.php, line 21

public function postGoods(){
		$postData = $_POST;
		$add=true;
		$this->upload($postData,$add);  
	}

line 53

public function upload($postData,$isAdd){
	    //...
	    	$add['title']=$postData['title'];
	    	$add['price']=$postData['price'];
	    	$add['img']=$info['picture']['savepath'].$info['picture']['savename'];

	    	if($isAdd){
	    		$this->addGoods($add);
	    	}
          //...
	    }
	}

line 77

public function addGoods($addGoods){
		// ...
		if($result >= 0){
			$data=array(
				code=>'0',
				msg=>'添加成功',
				data=>$addGoods
			);
			$this->ajaxReturn($data);
		}
               // ...
	}

In file ThinkPHP/Mode/Api/Controller.class.php line 55

protected function ajaxReturn($data,$type='') {
        if(empty($type)) $type  =   C('DEFAULT_AJAX_RETURN');
        switch (strtoupper($type)){
            case 'JSON' :
                // 返回JSON数据格式到客户端 包含状态信息
                header('Content-Type:application/json; charset=utf-8');
                exit(json_encode($data));
            case 'XML'  :
                // 返回xml格式数据
                header('Content-Type:text/xml; charset=utf-8');
                exit(xml_encode($data));
            case 'JSONP':
                // 返回JSON数据格式到客户端 包含状态信息
                header('Content-Type:application/json; charset=utf-8');
                $handler  =   isset($_GET[C('VAR_JSONP_HANDLER')]) ? $_GET[C('VAR_JSONP_HANDLER')] : C('DEFAULT_JSONP_HANDLER');
                exit($handler.'('.json_encode($data).');');  
            case 'EVAL' :
                // 返回可执行的js脚本
                header('Content-Type:text/html; charset=utf-8');
                exit($data);            
        }
    }

exit function will terminate the script and print a message to the user. Then there is XSS vulnerability because it contains values from $_POST.

enferas avatar Nov 12 '21 21:11 enferas

CVE-2021-43689 is assigned to this discovery.

manage (last update Oct 24, 2017) is affected by is affected by a Cross Site Scripting (XSS) vulnerability in Application/Home/Controller/GoodsController.class.php. The exit function will terminate the script and print a message which have values from $_POST.

enferas avatar Dec 02 '21 13:12 enferas

CVE-2021-43689 is assigned to this discovery.

manage(最后更新日期:24 年 2017 月 <> 日)受到应用程序/主页/控制器/货物控制器.class.php中跨站点脚本 (XSS) 漏洞的影响。exit 函数将终止脚本并打印值从 $_POST 起的消息。

我想知道这个xss的漏洞怎么修复的,我认为是是需要把这个post提交的数据,转换一下类型,不知道对不对,还是以什么方式阻止xss呢?

2734750898 avatar Apr 30 '23 18:04 2734750898