### 简要描述: 存储XSS,你懂的,赠送给乌云,俺貌似只是可能大概想连载下~ ### 详细说明: 下订单时,收货人信息里,未对电子邮件地址进行有效的过滤(未过滤双引号),导致在后台订单列表页及订单详情页可XSS. ``` /flow.php 373行 $consignee = array( 'address_id' => empty($_POST['address_id']) ? 0 : intval($_POST['address_id']), 'consignee' => empty($_POST['consignee']) ? '' : compile_str(trim($_POST['consignee'])), 'country' => empty($_POST['country']) ? '' : intval($_POST['country']), 'province' => empty($_POST['province']) ? '' : intval($_POST['province']), 'city' => empty($_POST['city']) ? '' : intval($_POST['city']), 'district' => empty($_POST['district']) ? '' : intval($_POST['district']), 'email' => empty($_POST['email']) ? '' : compile_str($_POST['email']), //compile_str只是对<>进行了处理 'address' => empty($_POST['address']) ? '' : compile_str($_POST['address']), 'zipcode' => empty($_POST['zipcode']) ? '' : compile_str(make_semiangle(trim($_POST['zipcode']))), 'tel' => empty($_POST['tel']) ? '' : compile_str(make_semiangle(trim($_POST['tel']))), 'mobile' => empty($_POST['mobile'])...
### 简要描述: 存储XSS,你懂的,赠送给乌云,俺貌似只是可能大概想连载下~ ### 详细说明: 下订单时,收货人信息里,未对电子邮件地址进行有效的过滤(未过滤双引号),导致在后台订单列表页及订单详情页可XSS. ``` /flow.php 373行 $consignee = array( 'address_id' => empty($_POST['address_id']) ? 0 : intval($_POST['address_id']), 'consignee' => empty($_POST['consignee']) ? '' : compile_str(trim($_POST['consignee'])), 'country' => empty($_POST['country']) ? '' : intval($_POST['country']), 'province' => empty($_POST['province']) ? '' : intval($_POST['province']), 'city' => empty($_POST['city']) ? '' : intval($_POST['city']), 'district' => empty($_POST['district']) ? '' : intval($_POST['district']), 'email' => empty($_POST['email']) ? '' : compile_str($_POST['email']), //compile_str只是对<>进行了处理 'address' => empty($_POST['address']) ? '' : compile_str($_POST['address']), 'zipcode' => empty($_POST['zipcode']) ? '' : compile_str(make_semiangle(trim($_POST['zipcode']))), 'tel' => empty($_POST['tel']) ? '' : compile_str(make_semiangle(trim($_POST['tel']))), 'mobile' => empty($_POST['mobile']) ? '' : compile_str(make_semiangle(trim($_POST['mobile']))), 'sign_building' => empty($_POST['sign_building']) ? '' :compile_str($_POST['sign_building']), 'best_time' => empty($_POST['best_time']) ? '' : compile_str($_POST['best_time']), ); ``` ### 漏洞证明: [<img src="https://images.seebug.org/upload/201305/1417363819947ef5e40d7e2c99b92c831e4c8389.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201305/1417363819947ef5e40d7e2c99b92c831e4c8389.png) 后台订单列表 [<img src="https://images.seebug.org/upload/201305/1417371265aea0da4d04d1e2007465da2e08a361.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201305/1417371265aea0da4d04d1e2007465da2e08a361.png) 后台订单详情 [<img src="https://images.seebug.org/upload/201305/1417484547d91fc6ffc365bd287c78a862657702.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201305/1417484547d91fc6ffc365bd287c78a862657702.png) cookie收集 [<img src="https://images.seebug.org/upload/201305/1417511407a1d781f151b580000adfee13fa6064.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201305/1417511407a1d781f151b580000adfee13fa6064.png)
