Search...

thinksaas最新版xss2

2015-03-30T00:00:00
ID SSV:94314
Type seebug
Reporter Root
Modified 2015-03-30T00:00:00

Description

简要描述:

详细说明:

\app\group\action\add.php

``` // 执行发布帖子 case "do" :

    if ($_POST ['token'] != $_SESSION ['token']) {
        tsNotice ( '非法操作!' );
    }

    $authcode = strtolower ( $_POST ['authcode'] );

    if ($TS_SITE ['base'] ['isauthcode']) {
        if ($authcode != $_SESSION ['verify']) {
            tsNotice ( "验证码输入有误,请重新输入!" );
        }
    }

    $groupid = intval ( $_POST ['groupid'] );
    $title = trim( $_POST ['title'] );//重点在这里,没有过滤题目。

```

漏洞证明:

登录1111账号-小组-发布帖子。

<img src="https://images.seebug.org/upload/201503/2620344577affe4cb34c7794db58c2fa88201abc.png" alt="20.png" width="600" onerror="javascript:errimg(this);">

登录另一账号与1111账号在同一小组的admin---我的社区 触发漏洞:

<img src="https://images.seebug.org/upload/201503/26203508e9bb3dcb21982a509dd09d6e135d49da.png" alt="21.png" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201503/262035194941e0c1c6a16f67356c044d5cdda34b.png" alt="22.png" width="600" onerror="javascript:errimg(this);">

JSON Vulners Source
Initial Source


All product names, logos, and brands are property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.If you are an owner of some content and want it to be removed, please mail to content@vulners.com Vulners, 2018
Protected by