825 Star 2.8K Fork 1.3K

Discuz / DiscuzX

Merged
!310 修复 远程附件下载导致的XSS漏洞

老周部落:PR_Fix_Security_Forum_Attachment_XSS Discuz:master

老周部落 Created on: 2019-12-16 18:07
缺陷/BUG
安全/security

漏洞成因请见关联Issue: https://gitee.com/ComsenzDiscuz/DiscuzX/issues/I12XUQ

本PR通过对作者文章中指出的两个未有效过滤的参数均进行了抽去引号的过滤操作,使得POC无法正确闭合引号,无法正常执行攻击。

在此向报告此漏洞的llfam表示感谢,也欢迎更多人参与到关注Discuz! X安全的队伍中来。

1 comments, 2 participants 1773794 laozhoubuluo 1594507411 1182630 gududeweidao 1578945378

Show action logs Hide action logs
老周部落 added label 安全/security 2021-06-28 11:00
oldhuhu merged Pull Request 2019-12-19 11:48
oldhuhu check passed 2019-12-19 11:48
老周部落 updated description 2019-12-16 18:08
老周部落 assigned reviewer 湖中沉 2019-12-16 18:07
老周部落 assigned reviewer oldhuhu 2019-12-16 18:07
老周部落 assigned reviewer monkeye 2019-12-16 18:07
老周部落 assigned reviewer Discuz! 2019-12-16 18:07
老周部落 assigned reviewer LooTan 2019-12-16 18:07
老周部落 assigned reviewer comsenz-service 2019-12-16 18:07
老周部落 assigned reviewer DiscuzX 2019-12-16 18:07
老周部落 set priority to Main 2019-12-16 18:07
老周部落 added label bug 2019-12-16 18:07
PHP
1
https://gitee.com/Discuz/DiscuzX.git
git@gitee.com:Discuz/DiscuzX.git
Discuz
DiscuzX
DiscuzX

Search

102255 3a0e046c 1850385 102255 7aaa926c 1850385