Section flood CMS XSS targeted attacks vulnerabilities, you can get any of the user Cookie-vulnerability warning-the black bar safety net

ID MYHACK58:62201338865
Type myhack58
Reporter piaox@乌云
Modified 2013-05-20T00:00:00


Brief description:

Section flood CMS XSSthe directional attack vulnerability, can get any user Cookie

Detailed description:

Section flood CMS provided by default member registration function, the members of Station Information within the module there is a storage-typeXSSvulnerabilities that can be exploited this vulnerability to the administrator to send a message, once opened can be caught, the test section Rezin multiple versions, the basic existence of this vulnerability.

1, Station inside letter to first give yourself a test, prove that the vulnerability exists


Vulnerability to prove:

Next is the vulnerability to prove

1, The use of the station within the letter to the administrator sent a


2, The administrator logged in backend interface will display a letter of the new information, if curious about that?!.....


3, The dot dot dot


4, cookies to


Repair solutions:

1, and firmly close the member registration function

2, the backend login page how deep how deep

3, the login authentication code to modify