Small conference Baidu post bar title XSS vulnerabilities [Fixed]-bug warning-the black bar safety net

2008-07-14T00:00:00
ID MYHACK58:62200819665
Type myhack58
Reporter 佚名
Modified 2008-07-14T00:00:00

Description

Source: 80sex

The first reference to http://www. 80sec. com/charset-xss. html.:)

This vulnerability in different browsers on the performance of the out the effects of each different, in GBKXX coding the next FF will recognize this illegal character put it when half the width of the byte and a single quotes!

But IE will not, IE will think that this is a double-byte character.

So we issued a patch,the title is similar [0xc1]‘);alert(1)//may cause problems. Now in the Baidu post bar in the output JS has constructed not a BUG, Baidu has judged that the wide-byte illegal character situation, stripslashes processing times, removing the escape character“\”. As follows:

function ResetReplyTitle(no, title) { if(no == null||no == “”){ if(title == null || title == ”) title_src = ‘xx?); alert(1)//’

Here? Is[0xc1]‘ it!!!!

Problem solved pull but ignores another place, is the back posts of the event output:

<a href="#sub" class=t onclick="ResetReplyTitle('1','xx infallible');alert(1);// ');">reply to this statement</a>

Infallible is[0xc1]\, here has become[0xc1]+‘!!

Only that said, Baidu's programmers for this vulnerability handling too sloppy, fill the East wall, didn't fill the Western wall.

PS: see this Baidu modify the vulnerability of the follow-up, because I know you will also Supplement problems to :)

Oh~point to reply to you eggplant:)

http://tieba.baidu.com/f?kz=435106360