Section flood CMS XSS targeted attacks vulnerabilities, you can get any of the user Cookie-vulnerability warning-the black bar safety net

2013-05-20T00:00:00
ID MYHACK58:62201338865
Type myhack58
Reporter piaox@乌云
Modified 2013-05-20T00:00:00

Description

Brief description:

Section flood CMS XSSthe directional attack vulnerability, can get any user Cookie

Detailed description:

Section flood CMS provided by default member registration function, the members of Station Information within the module there is a storage-typeXSSvulnerabilities that can be exploited this vulnerability to the administrator to send a message, once opened can be caught, the test section Rezin multiple versions, the basic existence of this vulnerability.

1, Station inside letter to first give yourself a test, prove that the vulnerability exists

!

Vulnerability to prove:

Next is the vulnerability to prove

1, The use of the station within the letter to the administrator sent a

!

2, The administrator logged in backend interface will display a letter of the new information, if curious about that?!.....

!

3, The dot dot dot

!

4, cookies to

!

Repair solutions:

1, and firmly close the member registration function

2, the backend login page how deep how deep

3, the login authentication code to modify