| |
| | |

CodersClub

 Forgot password?
 Register
Search
View: 5095|Reply: 4
Collapse the left

xss on discuzx

[Copy link]
Post time: 2011-10-16 07:44
| Show all posts |Read mode
I dont want to upgrade my forum, because I have done some modifications, and there are no major difference between x 1.5 and x 2. but there is a bug report.

could you help me to fix this?
http://0xsec.org/?p=303

 Russia

Post time: 2011-10-16 12:21
| Show all posts
The vulnerability report:
A small collection of Discuz X XSS vulnerability

/ **
* Title: Discuz X Series XSS vulnerability of small collections
* Author: sogili @ 0xsec
* From: 0xsec.org
* Website: 0xsec.org & sogili.com
** /

Some versions of Discuz X have some small XSS vulnerability.

Involved versions: Discuz X1.0 & x1.5.
Plus QQ bookmark XSS one.

sogili complain when playing with small achievements.


Discuz x1.0 personal space template customization XSS

Several times in front of almost all the problems the img tag:
After landing -> enter the personal space -> dress space -> Add Template -> check the free templates 1 ->



But this may not impact the scope of previous big, because it is a personal space, but one thing better than the previous point is the place (IMG code supports a maximum 1000 words), so that's not so hard to reduce the length.

Discuz! X1.5 post Xss

Type when posting
[img]javascript:alert(/sogili/)[/img]

Discuz X1.5 personal home-based stored XSS
Into the profile page
to submit comments [img]javascript:alert(/sogili/)[/img]

QQ bookmark Xss

http://shuqian.qq.com/login/auth?jump=1&sURL=javascript:alert(0)

Published 02/19/2011
Filed in Web security and tagged Xss

 Russia

Post time: 2011-10-16 12:23
| Show all posts
I have tested this report.
This XSS does not work at my latest versions (1.5 & 2.0).
You can check it by yourself.

 United States

 Author| Post time: 2011-10-17 09:06
| Show all posts
thanks man. I have tested it on Post editor and no problem seen. But I could not understand where is this one?
Discuz X1.5 personal home-based stored XSS
Into the profile page
to submit comments

 Russia

Post time: 2011-10-17 11:36
| Show all posts
But I could not understand where is this

User space - > Write to Wall.
You have to log in before you can reply Login | Register

Points Rules

Archive|Mobile|Dark room|CodersClub

Top.Mail.Ru
Top.Mail.Ru

2024-11-25 12:11 GMT+3 , Processed in 0.101305 sec., 8 queries .

Powered by Discuz! X3.4 Release 20230520

© 2001-2024 Discuz! Team.

MultiLingual version, Rev. 4301, © codersclub.org

Quick Reply To Top Return to the list