Headline
CVE-2022-28074: 一些安全建议,建议隐藏 · Issue #1769 · halo-dev/halo
Halo-1.5.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via \admin\index.html#/system/tools.
What is version of Halo has the issue?
1.5.0
What database are you using?
Other
What is your deployment method?
Fat Jar
Your site address.
No response
What happened?
作者你好,在部署环境的过程中,发现了一些问题。 希望在下一个版本中,能够进行一些安全的升级。 如下: 导出的文件未加密,可以修改内容,安全隐患: 用户将博客备份开源到互联网,遭到修改,可能导致存储型xss
json-data 未加密 位置:blog_footer_info 可导致,其他位置也一样
效果如下:
修复建议: 对备份内容进行加密。。。
同样的xss,也可以在该位置得到证实 http://localhost:8090\admin\index.html#/system/tools
Relevant log output
No response
Additional information
English report:
·Description Stored Cross-site scripting (XSS) vulnerability in halo before 1.5.0 allows remote attackers to inject arbitrary web script or HTML via the halo-1.5.0/admin to index.html#/system/options. resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Administer permission
·Discovery process Cross Site Scripting (XSS) vulnerability in halo-1.5.0 via the <textarea> label to
1. halo-1.5.0\admin\index.html#/system/options , the The Database Backup feature to 2. halo-1.5.0\admin\index.html#/system/toolsSetting website page in : http://localhost:8090\admin\index.html#/system/tools
when i clicked label,the options will be save… http://localhost:8090/s/about allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the <textarea> label
stored cross-site scripting (XSS) vulnerability in The Database Backup feature.
when i clicked
label,the json-data will be exported.
this json-data allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into after the "key":"blog_footer_info","value": option
if someone import this json-data. this payload will be executed
