startbbs is a free, open-source, light weight forum software package built with PHP and MySQL
Home Page: http://www.startbbs.com
#startbbs StartBBS是一个开源的轻量社区系统,界面优雅,代码简洁,小巧高效。V2.0基于thinkphp5.15和layui重构开发,核心框架成熟,学习成本低,易于二次开发,v1.x版得到了无数站长的认可和应用。尽管重构后的v2第一版功能简单,但这是我们一个新的开始,希望一起完善,再创辉煌。
产品特点:
开源轻量高效,易于二次开发。 自带文章模块,无需要再整合其它cms。 响应式布局,适配手机,平板、电脑。
环境要求: PHP >= 5.6.0 PDO MYSQL>=5.0
手册文档: https://www.kancloud.cn/startbbs/stb2_x/543147
QQ群:645590178(加群请注明startbbs)
您好:
我是360代码卫士的工作人员,在我们的开源项目代码检测过程中,发现startbbs存在host头攻击,攻击者可能利用此漏洞重置其他用户的密码。详细信息如下:
在startbbs/app/index/controller/User.php文件中
生成密码重置地址的url时,host头是通过$_SERVER['HTTP_HOST']获取的,而该参数受攻击者控制。
漏洞复现如下:
在找回密码处,构造如下http请求,将hots修改为攻击者控制的域
可以发现邮件受到的重置密码的邮件中url的host是我们刚刚修改后的域名:
当用户收到此邮件并访问该链接时
重置密码的凭证key将被攻击者获取。
现在看来是安装模块无法直接运行,想问下,如果不能通过安装程序安装的话,有没有办法手动生成数据库?数据库表结构又是什么样的呢?
防止重复刷登录积分的代码有BUG
$data = array(
'username' => $this->input->post('username', TRUE),
'password' => $this->input->post('password',TRUE)
);
if ($this->user_m->login($data)) {
$uid=$this->session->userdata('uid');
//更新积分
if(time()-@$data['myinfo']['lastlogin']>86400){
$this->config->load('userset');
$this->user_m->update_credit($uid,$this->config->item('credit_login'));
}刚给$data赋值,突然凭空调用$data['myinfo'].
修复一下吧
默认模板sidebar_new_users.php加载头像的地方,图片地址少了个normal.png,模板的install.php文件应该是加载common/header-meta
GET /index.php/node HTTP/1.1
Host: evilhostrGfCF6Iv.com
X-Forwarded-Host: www.jingxi.club
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*其中构造Host为恶意地址
如果网页上会访问$_SERVER['HOST']并以此拼接字符串,就可能被恶意利用
例如,该例返回的body里会有
...
<script type="text/javascript">
var baseurl='http://evilhostrGfCF6Iv.com/';
var siteurl='http://evilhostrGfCF6Iv.com/index.php';
var sitedomain='evilhostrgfcf6iv.com';
</script>
...后续访问会受到影响。
相同问题的地址还有:
/index.php/search
/index.php/tag
/index.php/user/findpwd
/index.php/user/login
/index.php/user/profile/1
/index.php/user/register
建议搜索源码以找到所有相似处,统一修改。可以用$_SERVER['SERVER_NAME']替代host
A PHP Error was encountered
Severity: Notice
Message: Undefined index: extension
Filename: controllers/upload.php
Line Number: 251
http://bbs.startbbs.com/home/search 这个页面,没有fix bug...
没有使用isset来判断变量
ryti
$this->load->config('qiniu'); //add
$this->load->view('edit', $data);
修改app/controller/forum.php 的edit函数最后一行, 增加上传设置判断语句
password_dohash一个直接md5的。哦,不会密码根本不会修改成功的,按照app/models/user_m.php#L53-L55写的,密码永远不会修改成功.config里帐号密码都写上了不提……空数据库安装install.php直接
SQLSTATE[42S02]: Base table or view not found: 1146 Table 'startbbs.stb_system' doesn't exist
System->getConfig() in Base.php line 12
也就是数据库没建甚至没写入实际的登录数据的时候就访问数据库去预加载数据库里的配置了……这整个顺序搞倒了啊……
composer.json也没见……那就是先得装完tp然后覆盖?文档上几乎什么都没有写……
还要手动刷新才行,容易让人以为没有发表成功
A PHP Error was encountered
Severity: Notice
Message: Only variable references should be returned by reference
Filename: core/Common.php
Line Number: 257
运行index.php时抛出的错误
I would like to help startsbb. I need to this English translation.
Is there any quick way I can translate this script into English?
Error Number: 1054
Unknown column 'credit' in 'field list'
SELECT uid, username, avatar, credit FROM (stb_users) WHERE uid = 0
Filename: /Users/hjue/Desktop/startbbs/core/MY_Controller.php
Line Number: 72
每登陆一次都会加一次积分,建议改成每天加一次,很容易刷积分,最好不是登陆操作加积分吧,因为保存了密码之后一般都不会登陆
最近用StartBBS搭了个社区网站。用WAS扫描,安全问题有一些。安全性我关注的比较多。特列出来跟大家一块商讨如何修改。
具体问题是这样
GET /index.php/user/login HTTP/1.1
Referer: 1" onmouseover=prompt(943202) bad="
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Cookie: stb_csrf_cookie=5682fef76efe2592520f01cb1fa0bb58; stb_session=UmYFZQ06V24GJ1ZxUToFYgQzVz9WcAMgBTIJewQhAjQBP1IyVFxXOFloAXkEPlcnVzdQN1U2UT0BJAA3A2YDYlM2WWkBNAA5UTAFagFhAzdSMgVqDWhXNgZtVjVRNwU1BGJXMFZmA2oFZwk8BGMCaQFhUmhUNldjWWoBeQQ%2BVydXN1A1VTRRPQEkADsDdwMMU2BZPAEzAC1RZQV4ASUDJ1I8BSwNNldlBm9WOFEiBWEEMVc1VnwDYQVkCTkEfAJuAWdSclQ6V2VZLgFgBHZXblc8UDRVPlElAXMAIQNiAyFTXlk5ATAAOlFuBX8BdAM%2BUnQFZQ09V2QGZFY4USIFHgRsV39WOwM%2FBTsJaQR9AmgBflJsVCNXeVlbATIEa1cwV2JQc1V3UScBSAAGAycDZVMvWWkBbAB%2FUVcFRAEBAzNSMwV2DSxXFQYsVnJRbAU2BFRXYFYwAxgFPgl8BH0CaAFjUmtULVdiWToBewQtVx9XRVBQVUlRSwEqAHIDawM6U2pZPQF3ABhRZQVoAT0DalIuBX8NT1c8Bi5WbVFtBTYELFc3VmoDfQVnCSYEYwJoAWBSbFQtV2dZPwF7BFZXNVdrUGVVdlFuASkAZwM0A2RTL1lrAWEAfVE7BXgBbAM0UjQFZQ0uVzgGPVZxUXQFDARiV2ZWJgM6BSEJYQQmAiQBclJnVGpXa1k9AW8EN1dlVz9QPFUwUTQBNgBiAzwDIFM7WWEBbQB9UXUFeAEzA3dSWAU7DW1XIAY9ViBROwUgBDlXNVZoA3EFdQkzBCECZwFjUmZUIVcoWXYBNgQnV29XflA%2BVTBRPQEkAGQDPwNnUzNZegFsACI%3D
Host: www.jingxi.club
Connection: Keep-alive
Accept-Encoding: gzip,deflate
Accept: */*<form accept-charset="UTF-8" action="http://www.jingxi.club/index.php/user/login?referer=1" onmouseover=prompt(943202) bad="" class="form-horizontal" id="new_user" method="post" novalidate="novalidate">实际风险:低,由于很难在浏览器里构造和择业的Referer:1" onmouseover=prompt(943202) bad="
过滤Referer
用所有版本试过,pdo也安装了·,
几年前就是这样,现在还是这样。
后台登陆密码验证现在是被注释掉了。
SQLSTATE[42S02]: Base table or view not found: 1146 Table 'startbbs.stb_hook' doesn't exist
$this->debug(false, '', $master);
// 返回结果集
return $this->getResult($pdo, $procedure);
} catch (\PDOException $e) {
if ($this->isBreak($e)) {
return $this->close()->query($sql, $bind, $master, $pdo);
}
throw new PDOException($e, $this->config, $this->getLastsql());
} catch (\Throwable $e) {
if ($this->isBreak($e)) {
return $this->close()->query($sql, $bind, $master, $pdo);
}
throw $e;
} catch (\Exception $e) {
if ($this->isBreak($e)) {
return $this->close()->query($sql, $bind, $master, $pdo);
Call Stack
in Connection.php line 699
at Connection->query('SHOW COLUMNS FROM s...', [], false, true) in Mysql.php line 90 at Mysql->getFields('stb_hook`') in Connection.php line 375
at Connection->getTableInfo('stb_hook', 'bind') in Connection.php line 452
at Connection->getFieldsBind('stb_hook') in Builder.php line 294
at Builder->buildWhere(object(Query), ['AND' => [['status', '=', 1]]]) in Builder.php line 266
at Builder->parseWhere(object(Query), ['AND' => [['status', '=', 1]]]) in Builder.php line 1048
at Builder->select(object(Query)) in Connection.php line 1371
at Connection->column(object(Query), ['name', 'status'], 'name') in Query.php line 608
at Query->column('status', 'name') in InitHook.php line 24
at InitHook->run()
at ReflectionMethod->invokeArgs(object(InitHook), []) in Container.php line 303
at Container->invokeMethod(['app\common\behavior...', 'run'], [null]) in Container.php line 341
at Container->invoke(['app\common\behavior...', 'run'], [null]) in Hook.php line 210
at Hook->execTag('app\common\behavior...', 'app_init', null) in Hook.php line 149
at Hook->listen('app_init') in App.php line 282
at App->initialize() in App.php line 402
at App->run() in install.php line 22
POST /index.php/user/findpwd HTTP/1.1
Content-Length: 92
Content-Type: application/x-www-form-urlencoded
Referer: http://www.jingxi.club:80/
Cookie: stb_csrf_cookie=5682fef76efe2592520f01cb1fa0bb58; stb_session=UmYFZQ06V24GJ1ZxUToFYgQzVz9WcAMgBTIJewQhAjQBP1IyVFxXOFloAXkEPlcnVzdQN1U2UT0BJAA3A2YDYlM2WWkBNAA5UTAFagFhAzdSMgVqDWhXNgZtVjVRNwU1BGJXMFZmA2oFZwk8BGMCaQFhUmhUNldjWWoBeQQ%2BVydXN1A1VTRRPQEkADsDdwMMU2BZPAEzAC1RZQV4ASUDJ1I8BSwNNldlBm9WOFEiBWEEMVc1VnwDYQVkCTkEfAJuAWdSclQ6V2VZLgFgBHZXblc8UDRVPlElAXMAIQNiAyFTXlk5ATAAOlFuBX8BdAM%2BUnQFZQ09V2QGZFY4USIFHgRsV39WOwM%2FBTsJaQR9AmgBflJsVCNXeVlbATIEa1cwV2JQc1V3UScBSAAGAycDZVMvWWkBbAB%2FUVcFRAEBAzNSMwV2DSxXFQYsVnJRbAU2BFRXYFYwAxgFPgl8BH0CaAFjUmtULVdiWToBewQtVx9XRVBQVUlRSwEqAHIDawM6U2pZPQF3ABhRZQVoAT0DalIuBX8NT1c8Bi5WbVFtBTYELFc3VmoDfQVnCSYEYwJoAWBSbFQtV2dZPwF7BFZXNVdrUGVVdlFuASkAZwM0A2RTL1lrAWEAfVE7BXgBbAM0UjQFZQ0uVzgGPVZxUXQFDARiV2ZWJgM6BSEJYQQmAiQBclJnVGpXa1k9AW8EN1dlVz9QPFUwUTQBNgBiAzwDIFM7WWEBbQB9UXUFeAEzA3dSWAU7DW1XIAY9ViBROwUgBDlXNVZoA3EFdQkzBCECZwFjUmZUIVcoWXYBNgQnV29XflA%2BVTBRPQEkAGQDPwNnUzNZegFsACI%3D
Host: www.jingxi.club
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
email=sample%40email.tst&stb_csrf_token=5682fef76efe2592520f01cb1fa0bb58&username[]=iwcdqtpj注意这里构造了body里的username[]
Error Number: 1054
Unknown column 'Array' in 'where clause'
SELECT `uid`, `email`, `password`, `group_type` FROM (`stb_users`) WHERE `username` = Array
Filename: /srv/www/htdocs/models/user_m.php
Line Number: 111风险:中
在默认环境下
define('ENVIRONMENT', 'development');
会爆出物理路径。
另外,不确定这里是否有sql注入
只处理username是字符串的情况
GET /index.php/home/getmore/xxx HTTP/1.1
Cookie: stb_csrf_cookie=5682fef76efe2592520f01cb1fa0bb58; stb_session=UmYFZQ06V24GJ1ZxUToFYgQzVz9WcAMgBTIJewQhAjQBP1IyVFxXOFloAXkEPlcnVzdQN1U2UT0BJAA3A2YDYlM2WWkBNAA5UTAFagFhAzdSMgVqDWhXNgZtVjVRNwU1BGJXMFZmA2oFZwk8BGMCaQFhUmhUNldjWWoBeQQ%2BVydXN1A1VTRRPQEkADsDdwMMU2BZPAEzAC1RZQV4ASUDJ1I8BSwNNldlBm9WOFEiBWEEMVc1VnwDYQVkCTkEfAJuAWdSclQ6V2VZLgFgBHZXblc8UDRVPlElAXMAIQNiAyFTXlk5ATAAOlFuBX8BdAM%2BUnQFZQ09V2QGZFY4USIFHgRsV39WOwM%2FBTsJaQR9AmgBflJsVCNXeVlbATIEa1cwV2JQc1V3UScBSAAGAycDZVMvWWkBbAB%2FUVcFRAEBAzNSMwV2DSxXFQYsVnJRbAU2BFRXYFYwAxgFPgl8BH0CaAFjUmtULVdiWToBewQtVx9XRVBQVUlRSwEqAHIDawM6U2pZPQF3ABhRZQVoAT0DalIuBX8NT1c8Bi5WbVFtBTYELFc3VmoDfQVnCSYEYwJoAWBSbFQtV2dZPwF7BFZXNVdrUGVVdlFuASkAZwM0A2RTL1lrAWEAfVE7BXgBbAM0UjQFZQ0uVzgGPVZxUXQFDARiV2ZWJgM6BSEJYQQmAiQBclJnVGpXa1k9AW8EN1dlVz9QPFUwUTQBNgBiAzwDIFM7WWEBbQB9UXUFeAEzA3dSWAU7DW1XIAY9ViBROwUgBDlXNVZoA3EFdQkzBCECZwFjUmZUIVcoWXYBNgQnV29XflA%2BVTBRPQEkAGQDPwNnUzNZegFsACI%3D
Host: www.jingxi.club
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
/index.php/home/getmore/xxx里的xxx为任意字符串
Error Number: 1064
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-20, 20' at line 8
SELECT `a`.*, `b`.`username`, `b`.`avatar`, `c`.`username` as rname, `d`.`cname` FROM (`stb_topics` a) LEFT JOIN `stb_users` b ON `b`.`uid` = `a`.`uid` LEFT JOIN `stb_users` c ON `c`.`uid` = `a`.`ruid` LEFT JOIN `stb_nodes` d ON `d`.`node_id` = `a`.`node_id` WHERE `a`.`is_hidden` = 0 ORDER BY `ord` desc LIMIT -20, 20
Filename: /srv/www/htdocs/models/topic_m.php
Line Number: 54风险:中
在默认环境下
define('ENVIRONMENT', 'development');
会爆出物理路径。
另外,不确定这里是否有sql注入
尚未深入研究
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.