XSS vulnerability

[P0wfuu]

After the template file of ‘index.php?s=order/index' is parsed, there is a controllable variable here.


By using payload index.php?s=order&ids="><script>alert(1);</script> ,we can get an xss alert.But it need anyone is logining,so hacker can get user's cookies when they visit the evil link.

[gongfuxiang]

'index.php?s=order/index'的模板文件解析后，这里有一个可控变量。 通过使用payload ，我们可以获得一个xss警报。但是它需要任何人登录，所以黑客可以在访问恶意链接时获取用户的cookie。


index.php?s=order&ids="><script>alert(1);</script>

您好、非常感谢您的反馈，这个是新版本框架升级忘记开启参数验证了，前几天已在dev分支修复。

[P0wfuu]

Yeah,you hava fixed it.

[P0wfuu]

No,No,No.This vulnerability still exists. You only use htmlspecialchars for data_request, and then url-decode $params['ids'], so we can bypass it using the second url encoding.
?s=order&ids=%2522%253E%253Cscript%253Ealert(1)%3B%253C%2Fscript%253E

[gongfuxiang]

No,No,No.This vulnerability still exists. You only use htmlspecialchars for data_request, and then url-decode $params['ids'], so we can bypass it using the second url encoding.
?s=order&ids=%2522%253E%253Cscript%253Ealert(1)%3B%253C%2Fscript%253E

您好，非常感谢您的深度测试反馈，刚才已在 dev 分支提交了新的修复方案，如有问题可以再次提交记录。