Road passenger Baba stored in plain text and any password get-vulnerability warning-the black bar safety net

2013-04-17T00:00:00
ID MYHACK58:62201338344
Type myhack58
Reporter 佚名
Modified 2013-04-17T00:00:00

Description

Brief description:

Password stored in plain text plus cross-site worms, you know

Detailed description:

Register road passenger Baba sent a message, the message content for the test code as

</textarea><script>alert(documeng. cookie)</script>

I registered two account xxoo_2013 and xxoo_2014, the password is 1 2 3 4 5 6, a sender a receiver, and

Effect as shown:

!

In to obtain the cookies found in the password plaintext storage:

!

As cdb_back[txtloginname]=xxoo_2013; cdb_back[txtPassword]=1 2 3 4 5 6;

This exploits that the worm implicit propagation then byxssthe platform receiving the letter. Worms details not test.

Because the road passenger Baba-with recharge function, the harm is still there.