/supershell/log/xxxx.js 可以泄露用户名信息 #37
Comments
|
另外希望大佬研究下 自动生成随机用户名和随机密码和jwt 类似于宝塔面板用户名那种 |
|
漏洞和建议反馈已收到,此漏洞之前也被@zjx师傅反馈过,后续会修复 |
location ~* ^/supershell/log/.*.js$ { |
那个太简单了,自己折腾折腾一下吧!没难度 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
`white_list = ['js', 'css', 'png', 'svg', 'jpg', 'jpeg']
@log_view.route('/supershell/log/path:name', methods=['GET'])
def log(name):
'''
访问日志
'''
return render_template('log.html',
supershell_version=supershell_version_dict['version'],
year=supershell_version_dict['info'][supershell_version_dict['version']]['mtime'].split('-')[0],
username=user,
name=name)`
此处可未授权访问 导致用户名泄露 导致溯源和爆破难度减小
The text was updated successfully, but these errors were encountered: