CVE-2022-28920: Possible XSS vulnerability · Issue #156 · MoeNetwork/Tieba-Cloud-Sign

Comments

Hello,

I would like to report for XSS vulnerability.

In file https://github.com/MoeNetwork/Tieba-Cloud-Sign/blob/master/templates/control.php line 53.

case 'setplug’: $plug = strip_tags($_GET[‘plug’]); $pluginfo = getPluginInfo($plug);

Then, there is an echo in line 62.

echo '<a href="’.$pluginfo[‘plugin’][‘url’].’" target="_blank">’;

strip_tags is not secure in this case. If you can look to this code example the alert will be printed when you press on the link.

<?php $x = "’javascript:alert()'"; $y = strip_tags($x); echo "<a href=$x>ClickMe</a>";

if (ROLE != ‘admin’) msg(‘权限不足！’);

if (!file_exists($path . $plugin . ‘.php’)) {

return false;

}

这是一个没有想象中严重的漏洞，我们在前面设置了权限检查挡住了非admin用户的访问，此外文件存在性检查会确保不存在的插件不会被加载，因此触发这个漏洞的需要：

• 用户为管理员
• 使用了带有恶意外部链接的插件

感谢您的反馈，我们将会在晚些时候进行修复

translated by deepl.com

if (ROLE != ‘admin’) msg(‘权限不足！’);

if (!file_exists($path . $plugin . ‘.php’)) {

return false;

}

This is not as serious a vulnerability as you might think, we set up a permission check earlier to block access by non-admin users, in addition the file existence check will ensure that non-existent plugins will not be loaded, so two conditions are required to trigger this vulnerability

• The user is an administrator
• A plugin with a malicious url is used

Thank you for your feedback, we will fix it later