http://tn.51cto.com/，这个网站也是基于这个开发的吗？

1、Intro

1. Tipask: Tipask is an open source PHP Question&Answer system developed based on the Laravel framework that is easy to scale and has strong load capacity and stability.
2. Tipask < 3.5.9， which fails to validate the path parameters entered by the user when downloading attachments, **a registered user can download arbitratry file on the Tipask server， **such as .env, /etc/passwd, laravel.log and so on, casuing infomation leakage.
3. This vulnerability is CREDITED to the following entity：

Qi'An Xin Technology Group, Network Security Department, Product-Security Team

（1）Vendor

Official Site：https://www.tipask.com/
Github Repo：https://github.com/sdfsky/tipask
Source code could be download at：https://www.tipask.com/release/Tipask_v3.5.8_UTF8_20210620.zip

（2）Description

• Exploitation of the vulnerability needs a attacker to be logged as registered user . By successfully exploiting it, the attacker can download any file on the Tipask server,
• Affected Version：Tipask ≤ 3.5.8
• Fofa dork：https://fofa.so/result?qbase64=YXBwPSJUaXBhc2st5YWs5Y%2B45Lqn5ZOBIg%3D%3D
  • 700+ tipask servers in the wild
• CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
  • Score：7.7（High）
  • Type：Local File Read
• Since the vendor has CONFIRMED this vulnerability in 2021/09/17, and has patched it via commit 9b5f13，users are able to apply the patch to avoid this vuln.

2、PoC & EXP

Once you've registered and logged in, you can access the following address directly:

PoC

For Linux Server， the PoC is as follows

http://tipask/attach/download/..-..-..-..-..-..-..-etc-hosts

EXP

https://tipask/attach/download/..-..-.env
http://tipask/attach/download/..-logs-laravel.log
http://tipask/attach/download/..-..-..-..-..-..-..-etc-passwd

The vulnerability involves 1 file:
​app\Http\Controllers\AttachController.php

path traversal due to no param-check.
​

Here are sensitive infomation that's downloaded via the vuln.

​

Of course，mitigations easy to imply:

• limiting the directories to be read, such as using basename() to process the user's input parameters
• User input parameters is prohibited to contain the 【..】

The vendor has CONFIRMED this vulnerability in 2021/09/17, and has patched it via commit 9b5f13，users are able to apply the patch to avoid this vuln.

3、Reference

• Code affected：app/Http/Controllers/AttachController.php#L42
• Patch：9b5f13d

如题所示，我没有在后台看到设置的入口。

版本：最新版
commit f4752c5

错误页面：
admin/setting/email

错误简述：
Whoops, looks like something went wrong.
ErrorException in Setting.php line 45:
Array to string conversion

错误栈：
in Setting.php line 45
at HandleExceptions->handleError('8', 'Array to string conversion', '/var/www/html/app/Models/Setting.php', '45', array('env_path' => '/var/www/html/.env', 'env_content' => 'APP_DEBUG=true APP_ENV=local APP_KEY=mnbl2zciiMg9qjFDaDzLAKIFUT2MR5Gv CONTENT_LENGTH=303 CONTENT_TYPE=application/x-www-form-urlencoded DB_DATABASE=tipaskx DB_HOST=db DB_PASSWORD=password1 DB_PORT=3306 DB_PREFIX=ask_ DB_USER=tipaskdb DB_USERNAME=tipaskdb DEVEL_KIT_MODULE_VERSION=0.3.0 DOCUMENT_ROOT=/var/www/html/public DOCUMENT_URI=/index.php FCGI_ROLE=RESPONDER GATEWAY_INTERFACE=CGI/1.1 GPG_KEYS=CBAF69F173A0FEA4B537F470D66C9593118BCCB6 F38252826ACD957EF380D39F2F7956BC5DA04B5D HOME=/var/cache/nginx HOSTNAME=f4581309a5d8 HTTP_ACCEPT=text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3 HTTP_ACCEPT_ENCODING=gzip, deflate HTTP_ACCEPT_LANGUAGE=zh-CN,zh;q=0.9,en;q=0.8,zh-TW;q=0.7 HTTP_CACHE_CONTROL=max-age=0 HTTP_CONNECTION=keep-alive HTTP_CONTENT_LENGTH=303 HTTP_CONTENT_TYPE=application/x-www-form-urlencoded HTTP_COOKIE=bmd__Session=72dbf41355aa22cda0b676c9b7932d6c; UM_distinctid=16c897725106d4-09e4718f94c8ff-37c153e-144000-16c89772511b71; CNZZDATA1273638993=1321489185-1565669051-http%253A%252F%252F192.168.106.128%253A8080%252F%7C1565674454; bmd__user_login=2LL7Xn6FE1RhNWMKTamIiINQh%2FZgEFDXjcRtXtlLA%2BSHspsToZBFESNeTqfRuTzE%2B%2BrbpjKBsqGlOxs9zfFFkIPZBS95Ttm8uJQpcoZdwllYizB5Y2Sag0TUzKlrvyUq; remember_82e5d2c56bdd0811318f0cf078b78bfc=eyJpdiI6InlLSkhRaUlmaWFtdEN4MlJUMmJtMlE9PSIsInZhbHVlIjoiK0J0SWtzSkJ3SDBtSEc0UkZcLzQzMTVpdTMzcFpUajZjQjdZYVhKYXRXWnE3UzlWQXdmSVRQamJOTXJsY1dZVDBFSTU4OFwvZlJYZzJyYWt6VHM4NHdIOUJ2b2p4ZE9PRHExXC9USktIeFc3Tm89IiwibWFjIjoiZjc0MjFhOTZhZjNjNThjNTIxYjRiZDYxYmY3MGNiNGUzMzhmNzY1YTBkYmM3Y2Q5YTdlOGJmNzQwZDM2ZjFhZSJ9; XSRF-TOKEN=eyJpdiI6IjRES2lEOEJUT2NURmRrMzI4RlI4U3c9PSIsInZhbHVlIjoiVkZPdGxnbFpodnNcL212MUFHSm5wcllFVzZJOVhGUnVaVVwvR3JsaCthcm51XC9UNFNjUk83dlJiUEJZdXQ2dFwveGpMck5uYlMrTWRrWThqQTN0TXdQMUJnPT0iLCJtYWMiOiIzZThjMDc5YTVlYmQwMzEzODlhNTQ4OTg5ZWQ4N2E2YTdiZjA2MGI5ZDc1ZTAyYThkMmU1MDY5NTMyYTlhMTA0In0%3D; laravel_session=eyJpdiI6IjUwdlArN2t2ZTN6QUlUUVhxcXBaeGc9PSIsInZhbHVlIjoiZFc1dDVISWpHUnZ4VjhCeHJ2NkU4ZlNpMkh2aXh6VHJjTXdVR0FzbU5yN3JPaEwwMzk4cXFoSjl3WXlHTStxb2NMNUZ1WmIxeW5QYm5EckJGTFhESGc9PSIsIm1hYyI6ImYzMzAxZGMzM2YxZWM0YzM3OWU0YmYyYjBiYmVhZTU1MjRiMzIxOTAxNWZiZmI0OTUzNjViYzc3MDI0OWY5ZDMifQ%3D%3D HTTP_HOST=192.168.106.128:8008 HTTP_ORIGIN=http://192.168.106.128:8008 HTTP_REFERER=http://192.168.106.128:8008/admin/setting/email HTTP_UPGRADE_INSECURE_REQUESTS=1 HTTP_USER_AGENT=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.80 Safari/537.36 LD_PRELOAD=/usr/lib/preloadable_libiconv.so php LUAJIT_INC=/usr/include/luajit-2.1 LUAJIT_LIB=/usr/lib LUA_MODULE_VERSION=0.10.14 MAIL_DRIVER=smtp MAIL_ENCRYPTION=ssl MAIL_FROM_ADDRESS=[email protected] MAIL_FROM_NAME=qiniu MAIL_HOST=smtp.163.com MAIL_OPEN=0 MAIL_PASSWORD=xxxxx! MAIL_PORT=465 MAIL_SENDMAIL=/usr/sbin/sendmail -bs MAIL_USERNAME=[email protected] NGINX_VERSION=1.16.0 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin PHPIZE_DEPS=autoconf dpkg-dev dpkg file g++ gcc libc-dev make pkgconf re2c PHP_ASC_URL=https://www.php.net/get/php-7.3.8.tar.xz.asc/from/this/mirror PHP_CFLAGS=-fstack-protector-strong -fpic -fpie -O2 PHP_CPPFLAGS=-fstack-protector-strong -fpic -fpie -O2 PHP_EXTRA_CONFIGURE_ARGS=--enable-fpm --with-fpm-user=www-data --with-fpm-group=www-data --disable-cgi PHP_INI_DIR=/usr/local/etc/php PHP_LDFLAGS=-Wl,-O1 -Wl,--hash-style=both -pie PHP_MD5= PHP_SELF=/index.php PHP_SHA256=f6046b2ae625d8c04310bda0737ac660dc5563a8e04e8a46c1ee24ea414ad5a5 PHP_URL=https://www.php.net/get/php-7.3.8.tar.xz/from/this/mirror PHP_VERSION=7.3.8 PWD=/var/www/html QUERY_STRING= REDIRECT_STATUS=200 REMOTE_ADDR=192.168.106.1 REMOTE_PORT=59545 REQUEST_METHOD=POST REQUEST_SCHEME=http REQUEST_TIME=1566270938 REQUEST_TIME_FLOAT=1566270938.8701 REQUEST_URI=/admin/setting/email SCRIPT_FILENAME=/var/www/html/public/index.php SCRIPT_NAME=/index.php SERVER_ADDR=172.29.0.4 SERVER_NAME=_ SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.1 SERVER_SOFTWARE=nginx/1.16.0 SHLVL=1 SUPERVISOR_ENABLED=1 SUPERVISOR_GROUP_NAME=php-fpm SUPERVISOR_PROCESS_NAME=php-fpm SUPERVISOR_SERVER_URL=unix:///dev/shm/supervisor.sock USER=nginx argc=0 ', 'value' => array(), 'key' => 'argv')) in Setting.php line 45
at Setting::writeToEnv() in SettingController.php line 67
at SettingController->email(object(Request))
at call_user_func_array(array(object(SettingController), 'email'), array(object(Request))) in Controller.php line 256
at Controller->callAction('email', array(object(Request))) in ControllerDispatcher.php line 164
at ControllerDispatcher->call(object(SettingController), object(Route), 'email') in ControllerDispatcher.php line 112
at ControllerDispatcher->Illuminate\Routing{closure}(object(Request))
at call_user_func(object(Closure), object(Request)) in Pipeline.php line 139
at Pipeline->Illuminate\Pipeline{closure}(object(Request))
at call_user_func(object(Closure), object(Request)) in Pipeline.php line 102
at Pipeline->then(object(Closure)) in ControllerDispatcher.php line 114
at ControllerDispatcher->callWithinStack(object(SettingController), object(Route), object(Request), 'email') in ControllerDispatcher.php line 68
at ControllerDispatcher->dispatch(object(Route), object(Request), 'App\Http\Controllers\Admin\SettingController', 'email') in Route.php line 203
at Route->runWithCustomDispatcher(object(Request)) in Route.php line 134
at Route->run(object(Request)) in Router.php line 708
at Router->Illuminate\Routing{closure}(object(Request))
at call_user_func(object(Closure), object(Request)) in Pipeline.php line 139
at Pipeline->Illuminate\Pipeline{closure}(object(Request)) in AdminAuthenticate.php line 26
at AdminAuthenticate->handle(object(Request), object(Closure))
at call_user_func_array(array(object(AdminAuthenticate), 'handle'), array(object(Request), object(Closure))) in Pipeline.php line 124
at Pipeline->Illuminate\Pipeline{closure}(object(Request)) in Authenticate.php line 44
at Authenticate->handle(object(Request), object(Closure))
at call_user_func_array(array(object(Authenticate), 'handle'), array(object(Request), object(Closure))) in Pipeline.php line 124
at Pipeline->Illuminate\Pipeline{closure}(object(Request))
at call_user_func(object(Closure), object(Request)) in Pipeline.php line 102
at Pipeline->then(object(Closure)) in Router.php line 710
at Router->runRouteWithinStack(object(Route), object(Request)) in Router.php line 674
at Router->dispatchToRoute(object(Request)) in Router.php line 635
at Router->dispatch(object(Request)) in Kernel.php line 236
at Kernel->Illuminate\Foundation\Http{closure}(object(Request))
at call_user_func(object(Closure), object(Request)) in Pipeline.php line 139
at Pipeline->Illuminate\Pipeline{closure}(object(Request)) in VerifyCsrfToken.php line 50
at VerifyCsrfToken->handle(object(Request), object(Closure))
at call_user_func_array(array(object(VerifyCsrfToken), 'handle'), array(object(Request), object(Closure))) in Pipeline.php line 124
at Pipeline->Illuminate\Pipeline{closure}(object(Request)) in ShareErrorsFromSession.php line 49
at ShareErrorsFromSession->handle(object(Request), object(Closure))
at call_user_func_array(array(object(ShareErrorsFromSession), 'handle'), array(object(Request), object(Closure))) in Pipeline.php line 124
at Pipeline->Illuminate\Pipeline{closure}(object(Request)) in StartSession.php line 62
at StartSession->handle(object(Request), object(Closure))
at call_user_func_array(array(object(StartSession), 'handle'), array(object(Request), object(Closure))) in Pipeline.php line 124
at Pipeline->Illuminate\Pipeline{closure}(object(Request)) in AddQueuedCookiesToResponse.php line 37
at AddQueuedCookiesToResponse->handle(object(Request), object(Closure))
at call_user_func_array(array(object(AddQueuedCookiesToResponse), 'handle'), array(object(Request), object(Closure))) in Pipeline.php line 124
at Pipeline->Illuminate\Pipeline{closure}(object(Request)) in EncryptCookies.php line 59
at EncryptCookies->handle(object(Request), object(Closure))
at call_user_func_array(array(object(EncryptCookies), 'handle'), array(object(Request), object(Closure))) in Pipeline.php line 124
at Pipeline->Illuminate\Pipeline{closure}(object(Request)) in CheckForMaintenanceMode.php line 44
at CheckForMaintenanceMode->handle(object(Request), object(Closure))
at call_user_func_array(array(object(CheckForMaintenanceMode), 'handle'), array(object(Request), object(Closure))) in Pipeline.php line 124
at Pipeline->Illuminate\Pipeline{closure}(object(Request))
at call_user_func(object(Closure), object(Request)) in Pipeline.php line 102
at Pipeline->then(object(Closure)) in Kernel.php line 122
at Kernel->sendRequestThroughRouter(object(Request)) in Kernel.php line 87
at Kernel->handle(object(Request)) in index.php line 53

重现步骤：
在配置完邮箱信息后，点保存

参考PR #5，我个人建议把所有引入的第三方库统一放在一起，都放在/public/static/libs目录下，例如：
引入 https://github.com/fengyuanchen/cropper 的 cropper
Cropper图片截剪库总共有两个文件，分为:
CSS: cropper.min.css
JS: cropper.min.js
在/public/static/libs目录下新建cropper目录，再把两个文件(cropper.min.css和cropper.min.js)放入cropper目录下，再进行分别引入
CSS引入

这样做的好处是可以避免
/public/static/js 目录下出现CSS文件
/public/static/css 目录下出现JS文件

建议新增tag批量生成

composer.lock的依赖文件地址失效，导致composer install的时候提示包download failed。

安装到最后一步报错

SQLSTATE[HY000] [1044] Access denied for user ''@'localhost' to database 'forge' (SQL: select * from ask_settings where (name` = website_name) limit 1)

(3/3) QueryException SQLSTATE[HY000] [1044] Access denied for user ''@'localhost' to database 'forge' (SQL: select * from ask_settings where (name = website_name) limit 1)

in Connection.php line 664
at Connection->runQueryCallback('select * from ask_settings where (name = ?) limit 1', array('website_name'), object(Closure))in Connection.php line 624
at Connection->run('select * from ask_settings where (name = ?) limit 1', array('website_name'), object(Closure))in Connection.php line 333
at Connection->select('select * from ask_settings where (name = ?) limit 1', array('website_name'), true)in Builder.php line 1963
at Builder->runSelect()in Builder.php line 1951
at Builder->Illuminate\Database\Query{closure}()in Builder.php line 2435
at Builder->onceWithColumns(array(''), object(Closure))in Builder.php line 1952
at Builder->get(array(''))in Builder.php line 481
at Builder->getModels(array(''))in Builder.php line 465
at Builder->get(array(''))in BuildsQueries.php line 77
at Builder->first()in Builder.php line 361
at Builder->firstOrNew(array('name' => 'website_name'))in Builder.php line 395

用的宝塔，php7.2, 按照官方的视频安装教程一步一步来的，最后一步就是不成功，实在没辙了，请问如何解决？谢谢

而且 database 'forge' 这个forge数据表拿来干啥的？

前后端完全分离，支持json api

• 添加 travis.ci 自动单元测试，我考虑做个pr进来

!!

您好，请教下后台管理用的是哪个模板

项目很好 O(∩_∩)O~

模板地址：https://github.com/almasaeed2010/AdminLTE

最新3.5.5版本安装正常，但是发表文章时出错，store时出现500内部错误

public下没有install文件夹或者install.php文件。如何安装？

这是个Pull Request的Prepare Issue
优化文件存储（头像、附件）的改进

• 支持配置FILE_SYSTEM (S3、腾讯云COS或阿里云OSS)且获取文件公网访问路径
• 头像的上传
• 头像的获取
• 附件图片的上传
• 附件图片的获取
• 后台附件的上传
• 后台附件的获取

强烈建议增加wangeditor编辑器

2021-06-28 22:19:54] local.ERROR: Argument 1 passed to str_contains() must be of the type string, null given, called in /var/www/html/QA/app/Models/Setting.php on line 56 {"exception":"[object] (Symfony\Component\Debug\Exception\FatalThrowableError(code: 0): Argument 1 passed to str_contains() must be of the type string, null given, called in /var/www/html/QA/app/Models/Setting.php on line 56 at /var/www/html/QA/vendor/symfony/polyfill-php80/bootstrap.php:29)
[stacktrace]
#0 /var/www/html/QA/app/Models/Setting.php(56): str_contains(NULL, ' ')

没有找到安装、部署相关的说明呢？

版本：tipask 3.3(3.2也是一样)
系统环境：Ubuntu 16.04 + Nginx1.12.2 + php7.2.5
问题描述：用户邮箱验证成功后，前台邮箱设置界面任然显示：您还未进行邮箱绑定，绑定后可通过邮箱地址登录系统.

代码中前面的$paymentChart删除后，后面的代码中的未删除，导致后台首页报错。
return view("admin.index.index")->with(compact('totalUserNum','totalQuestionNum','totalArticleNum','totalAnswerNum','userChart','questionChart','systemInfo','paymentChart'));

一鼓作气 把框架更新到 laravel 6

如题