Cmseasy storage XSS (ignore 360 without logon)

Cmseasy storage XSS (ignore 360 without logon)

Cmseasy allows non-logged-on users to reply to the bbs reply, but the user name is retrieved from the COOKIE, resulting in security problems:

/Bbs/ajax. php
 

<? Php require_once 'bbs _ public. php'; if (! Defined ('root') exit ('can \'t access! '); // Temporarily allow users not to log on to comments! // Verify user login related operations // $ admin = new action_admin (); if (isset ($ _ POST ['reply']) {if (! Isset ($ _ POST ['verify ']) | strtolower (trim ($ _ POST ['verify'])! = Strtolower ($ _ SESSION ['verify ']) {echo-1; // input-1 indicates that the verification code is incorrect! // Exit () ;}$ data = array (); $ _ POST ['content'] = unescape ($ _ POST ['content']); $ _ POST ['content'] = xss_clean ($ _ POST ['content']); $ data ['aid '] = isset ($ _ POST ['aid'])? Intval ($ _ POST ['aid ']): exit (0); $ data ['tid'] = isset ($ _ POST ['tid'])? Intval ($ _ POST ['tid']): 0; $ data ['content'] = isset ($ _ POST ['content'])? $ _ POST ['content']: exit (0); $ data ['username'] = isset ($ _ COOKIE ['username'])? $ _ COOKIE ['username']: ''; // $ data ['userid'] = $ admin-> userid; $ data ['addtime'] = mktime (); $ data ['IP'] = $ _ SERVER ['remote _ ADDR ']; $ reply = db_bbs_reply: getInstance (); $ r = $ reply-> inserData ($ data );

This is the code at the reply.

Visible $ data ['username'] = isset ($ _ COOKIE ['username'])? $ _ COOKIE ['username']: '';

Cmseasy in bbs_public.php and xss. php strictly filters $ _ GET and $ _ post xss, but does not process the $ _ COOKIE variable, therefore, $ _ COOKIE ['username'] is directly used as the user name, resulting in stored XSS.

As for 360, it does not process the xss in the cookie, but only filters the injection.

If you have not logged on, the bbs replies to a post and captures packets in the middle:

 

For example, change the cookie username field to an xss statement.

Visit the post to find the following tips:
 

 

Solution:

Filter cookies