Kinfedge issues

Results 3 issues of


                                            Kinfedge

Stored XSS of PAGE control

![图片](https://user-images.githubusercontent.com/33534676/63797670-1db27980-c93b-11e9-81ad-60247b4d8dc5.png) ![图片](https://user-images.githubusercontent.com/33534676/63797672-1ee3a680-c93b-11e9-9848-76bc0e4d351e.png) ![图片](https://user-images.githubusercontent.com/33534676/63797683-230fc400-c93b-11e9-904e-b872e7f5af9c.png) ![图片](https://user-images.githubusercontent.com/33534676/63797692-26a34b00-c93b-11e9-92ff-8fe047096bda.png) ![图片](https://user-images.githubusercontent.com/33534676/63797700-2acf6880-c93b-11e9-99a3-caf29afd7bea.png) The vunerbility is founded in laracms v1.0.1. Hackers can inject a script in the place where the page is managed. It's content accept all user...

存储型XSS漏洞1

![图片](https://user-images.githubusercontent.com/33534676/63648382-9362ed80-c761-11e9-8a30-fab441c72a5e.png) 如图进入内容管理页面，查看内容列表，随意挑选一个内容进行编辑（测试中编辑“招聘结算主管”这一条）在内容编辑处，输入任意脚本内容（测试输入alert("test")），同时选择输入内容点击插入链接，,并在链接处输入script，如上图。 ![图片](https://user-images.githubusercontent.com/33534676/63648415-27cd5000-c762-11e9-8ae8-ae31349f5aa0.png) 然后完成编辑，点击提交按钮 ![图片](https://user-images.githubusercontent.com/33534676/63648425-416e9780-c762-11e9-8661-05b59fe0a9e8.png) ![图片](https://user-images.githubusercontent.com/33534676/63648437-5a774880-c762-11e9-85cd-042adb72c86d.png) 使用相关工具，拦截提交的请求，并将提交的alert("test")的URL编码替换为alert("test")的URL编码 ![图片](https://user-images.githubusercontent.com/33534676/63648489-05880200-c763-11e9-9839-c2939a8b9f72.png) ![图片](https://user-images.githubusercontent.com/33534676/63648490-091b8900-c763-11e9-83b0-9b248275bde1.png) 提交请求到服务器，此时对应脚本已写入数据库中。 ![图片](https://user-images.githubusercontent.com/33534676/63648505-441dbc80-c763-11e9-8b89-bf1f4fddf5a8.png) ![图片](https://user-images.githubusercontent.com/33534676/63648507-47b14380-c763-11e9-9528-46f2d4f65b0a.png) 任意用户访问该页面，都会执行插入的脚本，测试中则是弹出“test”提示框。修复建议：对插入的超链接请求在服务器端也做编码和过滤。

Security-Cleartext Transmission of Sensitive Information

![图片](https://user-images.githubusercontent.com/33534676/63633834-0cd6df00-c681-11e9-8f43-19e31b628f8f.png) ![图片](https://user-images.githubusercontent.com/33534676/63633846-44458b80-c681-11e9-9a16-d10de7875c54.png) ![图片](https://user-images.githubusercontent.com/33534676/63633851-67703b00-c681-11e9-9fcc-8fb6fb8803ac.png) ![图片](https://user-images.githubusercontent.com/33534676/63633882-d5b4fd80-c681-11e9-996b-950e76cb173c.png) The software transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. So please encrypt the data with...