Happy purchase xss hijacking arbitrary users + loose Access Control

Happy purchase of xss blind play, user login access permissions are not strictly controlled, bypass direct login.
1. xss hijacking arbitrary user url: 3g.happigo.com/yijian.php in the product feedback, the feedback content is xss code, no filtering, resulting in xss. We can see that the feedback is hijacked to the management background address. user cookie 2 and xss hijack any user's second url: m.happigo.com/user/myword.php. The message content is not filtered, resulting in xss. The process is the same as above. xss hijacks arbitrary user 1, which is not described here. 3. loose control of user login access permissions. We hijack the above xss to allow users to directly log on to cookies. Let's take a look at another hijacked cookie. The user login url we hijack: http://m.happigo.com/help.php?search_key=&pno=2&uid=1286052&acckey=eQeFTlnkKzn91nqPAX15aSnOAf5xOwxf The uid and acckey exist in the address. As long as we hijack the two login url parameters of the user, we can directly access the url to log on to the user without hijacking the user's cookie. Let's take a look at a hijacked user and log in directly with acckey. The two users who have been hijacked above are emerald and platinum members. The points and happy points in them are a lot. 4. Hazard analysis is the first hazard of XSS: 1. In your opinion, you can directly hijack the customer service or administrator's background address and log on to cookie information. 2. You can directly hijack the logon credential of any user and log on to the cookie in the message center. 3. In this way, attackers can hijack any user and then check the dangers caused by loose access control of user logon permissions. 1. users do not need to enter the user name and password, and do not need to log on to cookies, as long as the uid and acckey are hijacked, you can directly log into your account. 2. There must be a lot of points, happy points, discount points, and interest cards in your account, exchange for something. 3. the login account information, address information, and order information status of these users can be directly modified. 4. Due to heavy traffic, the system hijacked the login cookies and credential of more than 200 users in two days. The leakage of a large amount of user information is also a major problem. 5. It is declared that due to heavy traffic, hijacking has been performed to many senior users, but no user information has been changed and any illegal operations have been performed.
 Solution:

1. filter user input. 2. control user login verification permissions.