View Code? Open in Web Editor
NEW
基于Yii2的Saas快速开发平台,内置多商户并内置商城、论坛、CMS等子系统。Yii2/Mysql/Mongodb/Redis/Elasticsearch/SnowFlake雪花算法ID生成 RBAC动态权限 数据权限 定时任务 日志/消息 代码生成Gii升级
Home Page: https://www.funboot.net/
License: BSD 3-Clause "New" or "Revised" License
PHP 92.11%
HTML 1.37%
CSS 5.88%
Less 0.19%
SCSS 0.42%
Batchfile 0.01%
Shell 0.03%
Hack 0.01%
CoffeeScript 0.01%
funboot's People
Contributors
funboot's Issues
Vulnerability Product:funboot
Vulnerability version: v1.1
Vulnerability type: Stored XSS
Vulnerability Details:
<script>alert(document.cookie)</script>
the Stored XSS payload could let admin causes disclosure of cookies、root path of websites、variables of PHP and stuff
-
First, log in: https://www.funboot.net/backend/site/login
Default account: test
Default password: 123456
-
After logging in, create a message here in the message list
-
When creating a message, users, titles, and content can be selected
It is found that the title can construct malicious code storage type XSS to obtain user information and access it through the network
- Clicking on 'sent' will reveal the pop-up cookie information
Prove the existence of stored xss