Possible XSS vulnerability

[enferas]

Hello,

I would like to report XSS vulnerability.

In file AdminBaseController.class.php
line 20

redirect(U('Admin/Login/login'));

In file https://github.com/baijunyao/thinkphp-bjyblog/blob/master/ThinkPHP/Mode/Api/functions.php

line 869 function U

$domain = $host.(strpos($host,'.')?'':strstr($_SERVER['HTTP_HOST'],'.'));

function U

// line 999
$url   =  (is_ssl()?'https://':'http://').$domain.$url;
// line 1003
return $url;

function redirect

// line 694
$url        = str_replace(array("\n", "\r"), '', $url);
// line 707
$str    = "<meta http-equiv='Refresh' content='{$time};URL={$url}'>";
// line 709
exit($str);

exit function will terminate the script and print the message to the user which has $_SERVER['HTTP_HOST']. Then there is XSS vulnerability.

[baijunyao]

Fixed, thank you very much.

[enferas]

Thank you for your response.

CVE-2021-43682 is assign to this discovery.

thinkphp-bjyblog is affected by a Cross Site Scripting (XSS) vulnerability in AdminBaseController.class.php. The exit function will terminate the script and print the message to the user which has $_SERVER['HTTP_HOST'].

[enferas]

Similar sinks that I can see there is a source pass to them (Possible vulnerabilities).

In file https://github.com/baijunyao/thinkphp-bjyblog/blob/master/ThinkPHP/Mode/Api/Controller.class.php

// line 61
exit(json_encode($data));
// line 69
$handler  =   isset($_GET[C('VAR_JSONP_HANDLER')]) ? $_GET[C('VAR_JSONP_HANDLER')] : C('DEFAULT_JSONP_HANDLER');
exit($handler.'('.json_encode($data).');'); 

In file https://github.com/baijunyao/thinkphp-bjyblog/blob/master/ThinkPHP/Library/Think/Controller.class.php

//line 216
exit(json_encode($data,$json_option));
//line 224
$handler  =   isset($_GET[C('VAR_JSONP_HANDLER')]) ? $_GET[C('VAR_JSONP_HANDLER')] : C('DEFAULT_JSONP_HANDLER');
exit($handler.'('.json_encode($data,$json_option).');');