### 简要描述:
前台过滤不严,绕过防护跨站
### 详细说明:
再次发现phpyunCMS存储型跨站2枚,可能存在多处
漏洞代码位于
/phpyun/friend/model/index.class.php
第一处是:
function save_action()//xss
{
if($this->uid=='')
{
$this->obj->ACT_layer_msg( "请先登录!", 8);
}
if(trim($_POST['title'])=="")
{
$this->obj->ACT_layer_msg( "标题不能为空!", 8);
}
$data['title']=$_POST['title'];
$data['cid']=(int)$_POST['cid'];
$data['content']=str_replace("&","&",html_entity_decode($_POST['content'],ENT_QUOTES,"GB2312"));
$data['uid']=$this->uid;
$data['add_time']=time();
$n_ids=$this->obj->insert_into("question",$data);
if($n_ids)
{
$nickname=$this->obj->DB_select_once("firend_info","`uid`='".$this->uid."'","`nickname`");
$gourl= $this->aurl(array("url"=>"c:content,id:".$n_ids));
$sql['uid']=$this->uid;
$sql['content']="发布了问答《<a href=\"".$gourl."\" target=\"_blank\">".$_POST['title']."</a>》。";
$sql['ctime']=time();
$this->obj->insert_into("friend_state",$sql);
$gourl= $this->aurl(array("url"=>"c:index"));
$this->obj->ACT_layer_msg( "提问成功!",9,$gourl);
}else{
$this->obj->ACT_layer_msg( "提问失败!", 8);
}
}
第二处:
function answer_action()//xsssss
{
$gourl= $this->aurl(array("url"=>"c:content,id:".$_GET['id']));
if($_POST['content'])
{
$q_title=$this->obj->DB_select_once("question","`id`='".(int)$_GET['id']."'","`uid`,`title`,`content`");
if($q_title['uid']==$this->uid)
{
$content = str_replace("&","&",html_entity_decode("<br/>追加内容:<br/>".$_POST['content'],ENT_QUOTES,"GB2312"));
$content=$q_title['content'].$content;
$id=$this->obj->update_once("question",array("content"=>$content),array("id"=>(int)$_GET['id']));
if($id)
{
$this->obj->ACT_layer_msg( "提问追加成功!",9,$gourl);
}else{
$this->obj->ACT_layer_msg( "提问追加失败!",8,$gourl);
}
}else{
$data['qid']=(int)$_GET['id'];
$data['content']=str_replace("&","&",html_entity_decode($_POST['content'],ENT_QUOTES,"GB2312"));
$data['uid']=$this->uid;
$data['comment']=0;
$data['support']=0;
$data['oppose']=0;
$data['add_time']=time();
$id=$this->obj->insert_into("answer",$data);
if($id)
{
$this->obj->DB_update_all("question","`answer_num`=`answer_num`+1","id='".(int)$_GET['id']."'");
$state_content = "回答了问答《<a href=\"".$gourl."\" target=\"_blank\">".$q_title['title']."</a>》。";
$this->addstate($state_content);
$this->obj->ACT_layer_msg( "回答成功!", 9,$gourl);
}else{
$this->obj->ACT_layer_msg( "回答失败!", 8);
}
}
}else{
$this->obj->ACT_layer_msg( "内容不能为空!", 2);
}
}
两处代码的漏洞都在于$_POST['content']变量并没有进行良好的过滤,直接写入数据库中,虽然phpyun有其他的防护拦截,但是依旧可以绕过,绕过代码
<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD4=">test<a>
或者<iframe src=”http://www.baidu.com”>tt</iframe>
验证:
第一处代码对应的功能是“我要提问”
如图:
[<img src="https://images.seebug.org/upload/201408/211350388b119a701fb47cf3fe3d38b208db64fb.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/211350388b119a701fb47cf3fe3d38b208db64fb.png)
然后查看“我的问题”
[<img src="https://images.seebug.org/upload/201408/21135052501c935c191416058f3978b3dad4dfa8.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/21135052501c935c191416058f3978b3dad4dfa8.png)
点击test触发弹框
第二处在追加(回答)问题处
[<img src="https://images.seebug.org/upload/201408/21135123b2eadca719774354ce558c870f2a5c43.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/21135123b2eadca719774354ce558c870f2a5c43.png)
提交后可见
[<img src="https://images.seebug.org/upload/201408/21135146eff46994871134320e456bb865f35a93.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/21135146eff46994871134320e456bb865f35a93.png)
验证完毕。
经过我对代码的粗略阅读,phpyunCMS中大量存在类似的缺陷代码,对应的功能我没有详细挖掘,肯定的是存储型跨站绝对不止这两处,希望厂商能对代码整体进行修复。
### 漏洞证明:
详见说明
京公网安备 11010502034610号
暂无评论