Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

存在高危漏洞:存储型XSS #796

Closed
neronkl opened this issue Nov 15, 2022 · 7 comments
Closed

存在高危漏洞:存储型XSS #796

neronkl opened this issue Nov 15, 2022 · 7 comments
Assignees
@wklken @yuri0528
Labels
Layer: api Api module related Priority: Middlum Middlum priority Type: bug Something isn't working

Comments

@neronkl
Copy link
Contributor

neronkl commented Nov 15, 2022
edited
Loading

示例:
编辑用户名:<img src=1 onerror=alert(1) //>
image

触发:
权限中心,人员选择器,输入该用户username,即可触发
image
@neronkl neronkl changed the title 存在了高危漏洞:存储性XSS 存在高危漏洞:存储型XSS Nov 15, 2022
@wklken wklken added Type: bug Something isn't working Layer: api Api module related Priority: High labels Nov 15, 2022
@wklken wklken added this to the Y2022M46 milestone Nov 15, 2022
@wklken
Copy link
Collaborator

wklken commented Nov 15, 2022

全名

  • 页面编辑
  • excel 导入
  • ldap同步

这类地方需要加下校验(xss处理)

@nannan00
Copy link
Collaborator

输入来源都是内部系统或管理员操作的,风险可控

yuri0528 pushed a commit to yuri0528/bk-user that referenced this issue Nov 17, 2022
fix: 修复 xss 攻击漏洞 TencentBlueKing#796
4d55a81
yuri0528 pushed a commit to yuri0528/bk-user that referenced this issue Nov 17, 2022
@yuri0528
fix: 修复 xss 攻击漏洞 TencentBlueKing#796
f43ea24
@wklken wklken added Priority: Middlum Middlum priority and removed Priority: High labels Nov 17, 2022
@wklken wklken removed this from the Y2022M46 milestone Nov 21, 2022
@wklken
Copy link
Collaborator

wklken commented Nov 21, 2022

先自测

yuri0528 added a commit to yuri0528/bk-user that referenced this issue Nov 21, 2022
@yuri0528
fix: 修复 xss 攻击漏洞 TencentBlueKing#796
8ab43ba
EmilyMei pushed a commit that referenced this issue Nov 21, 2022
@yuri0528 @EmilyMei
fix: 修复 xss 攻击漏洞 #796
fcdc18c
@wklken
Copy link
Collaborator

wklken commented Nov 21, 2022

#807
2.5.2统一提测

@wklken wklken closed this as completed Nov 21, 2022
yuri0528 pushed a commit to yuri0528/bk-user that referenced this issue Nov 23, 2022
@yuri0528
fix: 修复 xss 攻击漏洞 TencentBlueKing#796
2433206
@wklken wklken mentioned this issue Dec 6, 2022
Open
@Canway-shiisa Canway-shiisa reopened this Dec 12, 2022
@Canway-shiisa
Copy link
Contributor

这里还存在一种情况没有检验:已存在用户进行编辑没有做校验

@neronkl
Copy link
Contributor Author

neronkl commented Dec 12, 2022

安全测试仍存在该问题: 测试人员通过抓包修改,仍然存在该问题
@wklken @nannan00 @Canway-shiisa

@wklken wklken mentioned this issue Dec 15, 2022
Closed
@wklken
Copy link
Collaborator

wklken commented Jan 12, 2023

通过别的方式处理了

@wklken wklken closed this as completed Jan 12, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@wklken wklken

@yuri0528 yuri0528

Labels
Layer: api Api module related Priority: Middlum Middlum priority Type: bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@wklken @nannan00 @neronkl @yuri0528 @Canway-shiisa