### 简要描述:
rt
### 详细说明:
PHPOK4.0.556
漏了评论处的 编码转换。
$content = $this->get("content",'html');
type为 html的话
case 'html':$msg = preg_replace($tmp,'',$msg);break;
只过滤了
$tmp = array("/<script(.*)<\/script>/isU","/<frame(.*)>/isU","/<\/fram(.*)>/isU","/<iframe(.*)>/isU","/<\/ifram(.*)>/isU","/<style(.*)<\/style>/isU","/<link(.*)>/isU","/<\/link>/isU");
太弱。
<img src=x onerror=alert(1)>
审核评论 alert
[<img src="https://images.seebug.org/upload/201406/06034401ca982d14d7330886d4413d053c7de18a.jpg" alt="p1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/06034401ca982d14d7330886d4413d053c7de18a.jpg)
可获取 浏览该商品的 用户的cookie 以及后台审核时 管理员的 cookie
### 漏洞证明:
[<img src="https://images.seebug.org/upload/201406/06034401ca982d14d7330886d4413d053c7de18a.jpg" alt="p1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/06034401ca982d14d7330886d4413d053c7de18a.jpg)
京公网安备 11010502034610号
暂无评论