The latest Discuz fix is incomplete, so you can still store XSS for the Administrator
The new version fixes the insertion points provided in the http://wooyun.org/bugs/wooyun-2010-099979
However, due to the programmer's negligence, the repaired code still has available response code, which can cause XSS
Specific vulnerability analysis are mentioned in the http://wooyun.org/bugs/wooyun-2010-099979, the main reason is that/static/js/bbcode. when the bbcode2html () function in the js file performs regular replacement on the response code, the payload can be constructed to form XSS during editor rendering.
The bbcode. js file can be updated using two versions before and after diff:
Note that while the vendor filters out the payload mentioned in the http://wooyun.org/bugs/wooyun-2010-099979, the replacement of the signed code regular in the red part still causes XSS.
The new payload format is [email] 2 "onmouseover =" alert (2) [/email]
Use payload as the post content or comment. When the administrator or authorized person edits a post or comment containing payload, onmouseover is used to trigger JS execution.
Solution:
Filter