Road passenger Baba stored in plain text and any password get-vulnerability warning-the black bar safety net

ID MYHACK58:62201338344
Type myhack58
Reporter 佚名
Modified 2013-04-17T00:00:00


Brief description:

Password stored in plain text plus cross-site worms, you know

Detailed description:

Register road passenger Baba sent a message, the message content for the test code as

</textarea><script>alert(documeng. cookie)</script>

I registered two account xxoo_2013 and xxoo_2014, the password is 1 2 3 4 5 6, a sender a receiver, and

Effect as shown:


In to obtain the cookies found in the password plaintext storage:


As cdb_back[txtloginname]=xxoo_2013; cdb_back[txtPassword]=1 2 3 4 5 6;

This exploits that the worm implicit propagation then byxssthe platform receiving the letter. Worms details not test.

Because the road passenger Baba-with recharge function, the harm is still there.