YXcms可打后台xss

2014-07-22T00:00:00
ID SSV:95932
Type seebug
Reporter Root
Modified 2014-07-22T00:00:00

Description

简要描述:

过滤不严格,xss可打后台。

详细说明:

输入: Protected/member/controller/inforController.php中 public function index() { if(!$this->isPost()){ $auth=$this->auth; $id=$auth['id']; $info=model('members')->find("id='{$id}'"); $this->info=$info; $this->path=__ROOT__.'https://images.seebug.org/upload/member/image/'; $this->twidth=config('HEAD_W'); $this->theight=config('HEAD_H'); $this->display(); }else{ $id=intval($_POST['id']); $data['nickname']=in(trim($_POST['nickname'])); $acc=model('members')->find("id!='{$id}' AND nickname='".$data['nickname']."'"); if(!empty($acc['nickname'])) $this->error('该昵称已经有人使用~'); if (empty($_FILES['headpic']['name']) === false){ $tfile=date("Ymd"); $imgupload= $this->upload($this->uploadpath.$tfile.'/',config('imgupSize'),'jpg,bmp,gif,png'); $imgupload->saveRule='thumb_'.time(); $imgupload->upload(); $fileinfo=$imgupload->getUploadFileInfo(); $errorinfo=$imgupload->getErrorMsg(); if(!empty($errorinfo)) $this->alert($errorinfo); else{ if(!empty($_POST['oldheadpic'])){ $picpath=$this->uploadpath.$_POST['oldheadpic']; if(file_exists($picpath)) @unlink($picpath); } $data['headpic']=$tfile.'/'.$fileinfo[0]['savename']; } } $data['email']=$_POST['email']; //直接将$_POST[‘email’]传入,没有过滤,也没有对email的格式进行验证 $data['tel']=in($_POST['tel']); $data['qq']=in($_POST['qq']); model('members')->update("id='{$id}'",$data);//更新到数据库 $this->success('信息编辑成功~'); } } 输出: Protected/apps/member/controller/adminmemberController.php public function edit() { if(!$this->isPost()){ $id=$_GET['id']; if(empty($id)) $this->error('参数错误'); $info=model('members')->find("id='$id'");//直接从数据库中查询 $info['rrmb']=$info['rmb']-$info['crmb']; $group=model('memberGroup')->select("id !='1'","id,name"); foreach ($group as $val) { $select.=($val['id']==$info['groupid'])?"<option selected='selected' value='{$val['id']}'>{$val['name']}</option>":"<option value='{$val['id']}'>{$val['name']}</option>"; } $this->select=$select; $this->info=$info; $this->display();//调用Protected/apps/member/view/adminmember_edit.php }else{ 。。。。 } } Protected/apps/member/view/adminmember_edit.php中 <tr> <td align="right">邮箱:</td> <td><input type="text" name="email" value="{$info['email']}"></td> <td class="inputhelp"></td> </tr> 直接输出没有过滤

漏洞证明:

<img src="https://images.seebug.org/upload/201407/212315223cf04f5404accffa6410c8c9d720b705.png" alt="图片4.png" width="600" onerror="javascript:errimg(this);">

管理会员信息时,显示email

<img src="https://images.seebug.org/upload/201407/21231534734b01f75b4d3cc4ce15a1a9dcb81e07.png" alt="图片5.png" width="600" onerror="javascript:errimg(this);">