The black list is causing trouble.
At the reply, there is an editor function.
Editor there is a can edit the source code, then the first reflection is. There must be XSS here.
Sure enough, but, at the beginning of the test
<script>alert (1) </script>
And
, the discovery is unable to execute the JS code.
So, then on the http://html5sec.org/to find some partial door code test.
When testing: <form id= "test" ></form><button form= "test" formaction= "Javascript:alert (1)" >x</button >
, I was surprised to find that there was no filtration. As shown in the figure, click after the trigger
Of course, this also needs to click. After all, the person who replies is not everyone will click. So how can the success rate of XSS be enlarged?
Don't worry.
In http://html5sec.org/, there are still a lot of code to use. Such as:
<input Onfocus=alert (1) autofocus> open page when triggered (Ie10, Google, Firefox 4.5 effective)
In addition to this, there are many are through the browser, not one test, just take this proof of harm.
So we can get a wide net of fish.
The flaw proves: it is worth mentioning. <input Onfocus=alert (1) autofocus> Although the onfocus to execute JS. But don't forget we still have eval. You can construct <input onfocus=eval ("Here's the code we want to execute") autofocus>
To complete the attack. The constructed JS is as follows:
When users visit this post, they are the victims.
Not to try it all. I hope the PHPCMS team can also pay attention to the problem.
Repair scheme:
The editor is filtered based on blacklist. If you really want to open the editing source function, it is recommended to use whitelist filtering. Otherwise, it is best to turn off the open Edit Source feature, because you have no idea what the Cross station will use to code that you don't know at all.
There's also a reflective XSS here, by the way:
http://118.244.225.145/index.php?m=ask&c=team&a=team_list&order=team_point&catid=& Belong=team&name= "><SCRIPT>ALERT%281%29<%2FSCRIPT>