Discuz 2 0 1 5 0 6 0 9 version stored XSS vulnerability repair bypass report-vulnerability warning-the black bar safety net

ID MYHACK58:62201569914
Type myhack58
Reporter 佚名
Modified 2015-12-10T00:00:00


Author: RickGray

Date: 2015-12-09

Before 2015-03-07)the clouds had reported the Discuz full version storage-DOM XSS that can be hit, the administrator attached to the Discuz official development 4 pit&validation script on, but in the Discuz version 2015-06-09 of repair it because the repair is not full cause the vulnerability can still be triggered.

First, the principle analysis

Discuz in the user comments provided at the post administrators to edit comments feature, since the front end JS code improper handling led to a maliciously constructed of the comment content through the interaction after the formation of the XSS. The following by a payload of the debugging process to explain the vulnerability of the forming process.

First, in the comments to submit comments on the content: [email = 2 "onmouseover=" alert ( 2 ) ] 2 [ / email ]


Since the server for the quotes, etc. are filtered, so after the submission, the view source will find that the quotes have to be entity encoded.


For the average user-submitted comment, an administrator or moderator has the right for their comments to management.


When the management or the moderators for user reviews click Management, front-end JS code on the beginning of process, pop up a edit box for the management or the moderators operate. In the JS code to handle the process, first obtain the user reviews the content, The code in the current page:


And the $ ( ) function prototype is located in the /static/js/common.js in:


Use the native document . getElementById ( ) function to get the page of the corresponding object, where the access is marked with id = ” e _ textarea” object, which corresponds to the value of user reviews for the content.


And since the JS native function of reason, is the server back-end to escape the quotation marks will be re-rendered back to the quotes:


Get to id = ” e _ textarea” object, The code for the browser to be a judgment, and assigns the result to variable var wysiwyg to.

On the page, another JS code to determine a variable wysiwyg value, and then start rendering the edit box:


Where the use of the Firfox browser for testing, the front surface of wysiwyg the value of the variable is 1, It will execute the following code:

newEditor(1, bbcode2html(textobj. value))

newEditor(1,bbcode2html(textobj. value))

Wherein textobj. value is: [email = 2 "onmouseover=" alert ( 2 ) ] 2 [ / email ] (through the document. getElementById() gets the object parsing the entity encoding

During newEditor ( ) when the incoming content using the function bbcode2html ( ) to encode the filter, its function prototype is located in the /static/js/bbcode.js the following is Discuz the program supports shortcode processing part of the code.


The program matches its support of the shortcode and then regular replacement of the corresponding front end of the formatting code, so the second test of the payload for the [ email = 2 ” onmouseover = ” alert ( 2 ) ] 2 [ / email], so the figure marked red the code will get executed.

str = str. replace(/[email=(. [^[])](.?)\ [\/email]/ig, '<a href="mailto:$1" target="_blank">$2</a>');

str=str. replace(/[email=(. [^[])](.?)\ [\/email]/ig,'<a href="mailto:$1" target="_blank">$2</a>');

After the regular match after the replacement, The str value will become: < a href = "mailto:2" onmouseover ="alert(2)" target = "_blank" > 2 < / a >:

[1] [2] [3] next