The cause is that an xweibo injection vulnerability was discovered. However, it was found that this function requires management permissions. This is always the case... But find something interesting.
Detailed description:
Xweibo first implements a routing function to allocate and control the variables submitted by the user.
Function V ($ vRoute, $ def_v = NULL, $ setVar = false ){
Static $ v;
If (empty ($ v) {$ v = array ();}
$ VRoute = trim ($ vRoute );
// Force initialization value
If ($ setVar) {$ v [$ vRoute] = $ def_v; return true ;}
If (! Isset ($ v [$ vRoute]) {
$ VKey = array ('C' =>$ _ COOKIE, 'G' =>$ _ GET, 'P' =>$ _ POST, 'R' => $ _ REQUEST,
'F' = >$ _ FILES,'s '= >$ _ SERVER, 'E' = >$ _ ENV,
'-' => $ GLOBALS [v_1__global_name]
);
If (empty ($ vKey ['R']) {
$ VKey ['R'] = array_merge ($ _ COOKIE, $ _ GET, $ _ POST );
}
If (! Preg_match ("# ^ ([cuplfse-]) (? : :(. + ))? \ $ # Sim ", $ vRoute, $ m) |! Isset ($ vKey [strtoupper ($ m [1]) {
Trigger_error ("Can't parse var from vRoute: $ vRoute", E_USER_ERROR );
Return NULL;
}
Omitted
User operation functions are encapsulated in the action module. action. mod. php, find the action sendNotice.
Function sendNotice (){
$ NowTime = APP_LOCAL_TIMESTAMP;
$ Sina_uid = V ('P: uid', 0 );
$ Title = trim (V ('P: title ',''));
$ Content = trim (V ('P: content ',''));
$ Available_time = (int) V ('P: available_time ', $ nowTime );
Www.2cto.com is omitted
$ Rst = DR ('notice. sendNotice ', '', $ title, $ content, $ sina_uid, null, 0, $ available_time );
If (! Empty ($ rst ['errno']) {
APP: ajaxRst (false, $ rst ['errno'], $ rst ['err']);
Exit;
} Else {
APP: ajaxRst (true, 0 );
Exit;
}
}
There is no limit. Check the function definition in notice.
$ Send_all = $ sina_uid = 0? True: false; // whether to send the message to the full-site user
If (is_null ($ sina_uid )){
$ Sina_uid = array ();
} Else if (! Is_array ($ sina_uid )){
$ Sina_uid = (array) $ sina_uid;
}
......
$ Data = array ();
$ Data ['sender _ id'] = $ sender_id;
$ Data ['title'] = $ title;
$ Data ['content'] = $ content;
$ Data ['add _ time'] = APP_LOCAL_TIMESTAMP;
$ Data ['available _ time'] = empty ($ available_time )? APP_LOCAL_TIMESTAMP: $ available_time;
$ Notice_id = $ this-> db-> save ($ data, 0, T_NOTICE );
If ($ notice_id = false ){
Return RST (false, 1210004, 'sending failed, Please retry ');
}
Directly construct and use this action
POST /? M = api/weibo/action. sendNotice & _ = 1331620238391 HTTP/1.1
....
Uid = [change to 0 as Group Sending, other users send the uid separately] & title = [title] & content = [content] & available_time = 123123123
In addition, the display content has not been html formatted, so you can also give the whole site users an xss in the name of the Administrator. The significance of this xss is that it can bypass official restrictions for additional attention, the user operation functions supported by all xweibo interfaces, such as Weibo, can be controlled by all users/Weibo users on the xweibo site after confirmation.
Proof of vulnerability:
Solution:
1. The notice interface requires identity restrictions;
2. Escape the xss issue;
3. Perform csrf and referer checks on other Weibo operation interfaces.
Author: Milk Tank
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
