Arbitrary File Download and xss vulnerability in Sohu job center

1. Any File Download Vulnerability in the resume to add attachments, attachments uploaded after the attachment is http://hr.sohu.com/backend.php/interface/getdoc? Path = file/src/2012-09-21/xxx.doc&name=xxx.docx the backend program does not validate the path, causing any files on the server to be downloaded (within the permitted range of permissions ). 2. The stored XSS vulnerability editing and pasting Resume function is used in the editor. However, many tags that can trigger xss vulnerabilities are not processed and xss vulnerabilities can be triggered.
1, Arbitrary File Download Vulnerability download/etc/passwd, through the following URL: http://hr.sohu.com/backend.php/interface/getdoc? Path =.../etc/passwd&name=passwd.txt download nginx configuration file, through the following URL: http://hr.sohu.com/backend.php/interface/getdoc? Path =.../../usr/local/nginx/conf/nginx. conf & name = nginx. conf can also download files in the WEB directory. 2. Stored XSS vulnerabilities
Select the source code in the editor and enter </textarea> <iframe/onload = alert (1)> <textarea> the following URL can trigger the xss vulnerability, however, this vulnerability seems to be only valid for you and does not know whether the problem will occur during background editing. Http://hr.sohu.com/resume/addpaste? Rid = 467486 & lid = 1 & uid = 434627 & talentTypeId = 20 & id = 467486 & op = add & jid = 0

Solution:

To sum up, all input and output are harmful and require strict checksum filtering.