Wah all the system stored xss vulnerability can be comfortably back impact thousands of hosting service providers-vulnerabilities and early warning-the black bar safety net

ID MYHACK58:62201442123
Type myhack58
Reporter 猫七@乌云
Modified 2014-02-03T00:00:00


Brief description:

Hua Zhong system discoveredXSSvulnerability, affecting thousands of hosting service providers

Detailed description:

Hua Zhong, the WinIIS, star outside AMAXSSvulnerability is proof many times, the estimates are now fixed.

But Hua all the following vulnerabilities, the estimate I was the first one found.

Spend a few dollars in a treasure buy a months pay space, ask the Chinese congregation of the system after tests are there this problem the program should be the latest version of 6. 5 in.

Vulnerability proof:

1, invest a few dollars in a treasure buy a space, is one of the well system.

2, a bought the host, point to senior management. Just find a input box and I test the online decompress it. Input(he is the filtered'):

<img src=1.gif onerror=alert("x");>


3, to prompt the operation fails. The actual successful. Slowly, etc. if impatient, you can contact the seller online extract not available.... and


4, as long as the seller in the background to open the operation log that we succeeded.


5, has scored permissions:


I'm law-abiding good citizens, has been the vulnerability returned to the seller. The seller sent a permanent 5G of space, force.。。。。

Hung it, the domain name。。。。。。。

Repair solutions:

Filter html characters. A later test under winiis and stars outside, also should be good to go.