VULHUB ™

### 简要描述： 前台过滤不严，绕过防护跨站 ### 详细说明： 再次发现phpyunCMS存储型跨站2枚，可能存在多处 漏洞代码位于 /phpyun/friend/model/index.class.php 第一处是： function save_action()//xss { if($this->uid=='') { $this->obj->ACT_layer_msg( "请先登录！", 8); } if(trim($_POST['title'])=="") { $this->obj->ACT_layer_msg( "标题不能为空！", 8); } $data['title']=$_POST['title']; $data['cid']=(int)$_POST['cid']; $data['content']=str_replace("&amp;","&",html_entity_decode($_POST['content'],ENT_QUOTES,"GB2312")); $data['uid']=$this->uid; $data['add_time']=time(); $n_ids=$this->obj->insert_into("question",$data); if($n_ids) { $nickname=$this->obj->DB_select_once("firend_info","`uid`='".$this->uid."'","`nickname`"); $gourl= $this->aurl(array("url"=>"c:content,id:".$n_ids)); $sql['uid']=$this->uid; $sql['content']="发布了问答《<a href=\"".$gourl."\" target=\"_blank\">".$_POST['title']."</a>》。"; $sql['ctime']=time(); $this->obj->insert_into("friend_state",$sql); $gourl= $this->aurl(array("url"=>"c:index")); $this->obj->ACT_layer_msg( "提问成功！",9,$gourl); }else{...

### 简要描述： 前台过滤不严，绕过防护跨站 ### 详细说明： 再次发现phpyunCMS存储型跨站2枚，可能存在多处 漏洞代码位于 /phpyun/friend/model/index.class.php 第一处是： function save_action()//xss { if($this->uid=='') { $this->obj->ACT_layer_msg( "请先登录！", 8); } if(trim($_POST['title'])=="") { $this->obj->ACT_layer_msg( "标题不能为空！", 8); } $data['title']=$_POST['title']; $data['cid']=(int)$_POST['cid']; $data['content']=str_replace("&amp;","&",html_entity_decode($_POST['content'],ENT_QUOTES,"GB2312")); $data['uid']=$this->uid; $data['add_time']=time(); $n_ids=$this->obj->insert_into("question",$data); if($n_ids) { $nickname=$this->obj->DB_select_once("firend_info","`uid`='".$this->uid."'","`nickname`"); $gourl= $this->aurl(array("url"=>"c:content,id:".$n_ids)); $sql['uid']=$this->uid; $sql['content']="发布了问答《<a href=\"".$gourl."\" target=\"_blank\">".$_POST['title']."</a>》。"; $sql['ctime']=time(); $this->obj->insert_into("friend_state",$sql); $gourl= $this->aurl(array("url"=>"c:index")); $this->obj->ACT_layer_msg( "提问成功！",9,$gourl); }else{ $this->obj->ACT_layer_msg( "提问失败！", 8); } } 第二处： function answer_action()//xsssss { $gourl= $this->aurl(array("url"=>"c:content,id:".$_GET['id'])); if($_POST['content']) { $q_title=$this->obj->DB_select_once("question","`id`='".(int)$_GET['id']."'","`uid`,`title`,`content`"); if($q_title['uid']==$this->uid) { $content = str_replace("&amp;","&",html_entity_decode("<br/>追加内容：<br/>".$_POST['content'],ENT_QUOTES,"GB2312")); $content=$q_title['content'].$content; $id=$this->obj->update_once("question",array("content"=>$content),array("id"=>(int)$_GET['id'])); if($id) { $this->obj->ACT_layer_msg( "提问追加成功！",9,$gourl); }else{ $this->obj->ACT_layer_msg( "提问追加失败！",8,$gourl); } }else{ $data['qid']=(int)$_GET['id']; $data['content']=str_replace("&amp;","&",html_entity_decode($_POST['content'],ENT_QUOTES,"GB2312")); $data['uid']=$this->uid; $data['comment']=0; $data['support']=0; $data['oppose']=0; $data['add_time']=time(); $id=$this->obj->insert_into("answer",$data); if($id) { $this->obj->DB_update_all("question","`answer_num`=`answer_num`+1","id='".(int)$_GET['id']."'"); $state_content = "回答了问答《<a href=\"".$gourl."\" target=\"_blank\">".$q_title['title']."</a>》。"; $this->addstate($state_content); $this->obj->ACT_layer_msg( "回答成功！", 9,$gourl); }else{ $this->obj->ACT_layer_msg( "回答失败！", 8); } } }else{ $this->obj->ACT_layer_msg( "内容不能为空！", 2); } } 两处代码的漏洞都在于$_POST['content']变量并没有进行良好的过滤，直接写入数据库中，虽然phpyun有其他的防护拦截，但是依旧可以绕过，绕过代码 <a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD4=">test<a> 或者<iframe src=”http://www.baidu.com”>tt</iframe> 验证： 第一处代码对应的功能是“我要提问” 如图： [<img src="https://images.seebug.org/upload/201408/211350388b119a701fb47cf3fe3d38b208db64fb.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/211350388b119a701fb47cf3fe3d38b208db64fb.png) 然后查看“我的问题” [<img src="https://images.seebug.org/upload/201408/21135052501c935c191416058f3978b3dad4dfa8.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/21135052501c935c191416058f3978b3dad4dfa8.png) 点击test触发弹框 第二处在追加（回答）问题处 [<img src="https://images.seebug.org/upload/201408/21135123b2eadca719774354ce558c870f2a5c43.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/21135123b2eadca719774354ce558c870f2a5c43.png) 提交后可见 [<img src="https://images.seebug.org/upload/201408/21135146eff46994871134320e456bb865f35a93.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/21135146eff46994871134320e456bb865f35a93.png) 验证完毕。 经过我对代码的粗略阅读，phpyunCMS中大量存在类似的缺陷代码，对应的功能我没有详细挖掘，肯定的是存储型跨站绝对不止这两处，希望厂商能对代码整体进行修复。 ### 漏洞证明： 详见说明