AOH :: HP Unsorted Nums :: BU-2096.HTM

"$referer" export lead to the cross-site flaws in all versions of Discuz!



"$referer" export lead to the cross-site flaws in all versions of Discuz!
"$referer" export lead to the cross-site flaws in all versions of Discuz!





hi;
 
All versions of Discuz! have the cross-site vulnerabilities because of the export value of "$referer". 
 
Like: 
Discuz! 7.X
Discuz! 6.X
Discuz! 5.X
Discuz!NT 3.X
and so on.
 
 
There are some htm pages in all versions of Discuz!, that are:
/templates/default/attachpay.htm
/templates/default/ec_rate.htm
/templates/default/register.htm
 
 
These pages have code to export the value of "$referer": 
 
When the "$referer" include malicious code, these htm pages and the nested php pages will be XSS.
 
 
 
With "register.htm" as an example:
 
 
A user open a URL, and click the "Register" button on the page, this URL will been assigned to "$referer",then, "register.htm" export the value of "$referer", at this time, vistors' browser open "register.php" that include this value of "$referer".
 
So, either the URL is dynamic pages or static pages, either the url has xss or not. As long as the URL contains the xss code, the xss will be true.
 
 
 

Attacker just need to find the URL which can contains malicious code, then build the special URL.
with Discuz! 7.0 as an example, the "viewthread.php" can contains malicious code, like : http://www.example.com/viewthread.php?tid= . 
When users visit it , and then , click Register button, XSS has been true, malicious code ware been run.
 
 
 
 
principle of attachpay.htm and ec_rate.htm are same to register.htm.
 

It is not only in discuz!, all the web apps who save referer and export referer maybe have the vulnerabilities.
 
 
 
Liscker
2010.03.24 		 	   		  

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.