thinksaas最新版xss2

2015-03-30T00:00:00
ID SSV:94314
Type seebug
Reporter Root
Modified 2015-03-30T00:00:00

Description

简要描述:

详细说明:

\app\group\action\add.php

``` // 执行发布帖子 case "do" :

    if ($_POST ['token'] != $_SESSION ['token']) {
        tsNotice ( '非法操作!' );
    }

    $authcode = strtolower ( $_POST ['authcode'] );

    if ($TS_SITE ['base'] ['isauthcode']) {
        if ($authcode != $_SESSION ['verify']) {
            tsNotice ( "验证码输入有误,请重新输入!" );
        }
    }

    $groupid = intval ( $_POST ['groupid'] );
    $title = trim( $_POST ['title'] );//重点在这里,没有过滤题目。

```

漏洞证明:

登录1111账号-小组-发布帖子。

<img src="https://images.seebug.org/upload/201503/2620344577affe4cb34c7794db58c2fa88201abc.png" alt="20.png" width="600" onerror="javascript:errimg(this);">

登录另一账号与1111账号在同一小组的admin---我的社区 触发漏洞:

<img src="https://images.seebug.org/upload/201503/26203508e9bb3dcb21982a509dd09d6e135d49da.png" alt="21.png" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201503/262035194941e0c1c6a16f67356c044d5cdda34b.png" alt="22.png" width="600" onerror="javascript:errimg(this);">