yourphp is based on thinkphp framework for the development of the open source cms, there is a storage-typexssvulnerability
In the demo of the cms when found this vulnerability, in order to have the power of persuasion, then using the official demo displayxssprocess,
In yourphp official http://demo5. yourphp. cn operates, the demo use yourphp version 2.1, but the latest release of the yourphp2. 2 also has this problem.
The problem is in the online message function.
http://demo5.yourphp.cn/index.php?m=Guestbook&a=index&id=1 9
Vulnerability to prove:
Submit an online message function, because the cms online leave a message after the submission requires the administrator to review only the foreground is displayed, so I willxsscode through a plurality of empty carriage returns to hide, so in the background review, the administrator slightly careless will review through, see below:
1, submit a message, in the message content by a plurality of empty row hiddenxsscode
2, in the background of the audit when it is easy to muddle through
Because it is a demo, the official didn’t change the backend password, so it can be displayed here back office operations, back office address:
http://demo5.yourphp.cn/admin.php
Username and password are both:yourphp
3, success
Repair solutions:
Filter