Repair solution for multiple security risks On Xiaomi mobile website

1. Sensitive Information Leakage of discarded projects;
2. Mi chat promotion XSS;
3. Nginx parsing issues promoted by Xiaomi;
4. Multiple design defects lead to brute-force account cracking;
Detailed description:
I first stated that the test was conducted without the consent of Xiaomi technology.
1.res.api.miui.com sensitive information leakage, estimated to be obsolete Projects
Http://res.api.miui.com/index.php
Use the YII framework to expose the absolute path of the website
 
 


 
2.tg.miliao.com XSS
Http://tg.miliao.com/index.php
? Action = member-achieve
& Amp; mainmenuid = 200 www.2cto.com
& Amp; submenuid = 201
& Act = provinceProvince
& Amp; bind_type = 0
& Begin_date = 2012-02-01
& End_date = 2012-03-01 ">
 
 
 
 
3.The Nginx used by munion.xiaomi.com has a parsing problem.
Http://munion.xiaomi.com/static/images/android.gif/x.php
 
 
Although the upload point is not found, it is not a small risk.
In addition, you can check whether the user needs to be notified.
Http:// B .lanteanstudio.com/phpfolder/src/in/report/logview/logview.php? Filename=4477270_201111__20111110140150.html & path = miliao
 
 
4. No business request restrictions are imposed in multiple locations, resulting in brute force cracking (unverified) on the account)
A. http://m.miliao.com/account/del
If the recipient is not bound to an Email, the Email is canceled!
B. http://m.miliao.com/active/telrate/login
C. http://m.miliao.com/activity/mcdonalds
D. http://munion.xiaomi.com/here also supports brute force cracking
E. http://passport.xiaomi.com/user/chgpass/username/mongotarget} brute force cracking and Password Reset
 

Solution:
1. Stop deprecated Projects
2. user input validation and materialized output for XSS.
3. Upgrade Your Nginx or install patches
4. Improve security awareness, even on the mobile site
5. You are more professional than me. The above are for reference only.

Author Vi0lent