by lib3rt3
2007-07-17
http://www.wolvez.org复制内容到剪贴板
代码:
前些天看国外的资料时得到的思路:)
在common.inc.php文件的69行:
$PHP_SELF = $_SERVER['PHP_SELF'] ? $_SERVER['PHP_SELF'] : $_SERVER['SCRIPT_NAME'];
$SCRIPT_FILENAME = str_replace('\\\\', '/', (isset($_SERVER['PATH_TRANSLATED']) ? $_SERVER['PATH_TRANSLATED'] : $_SERVER['SCRIPT_FILENAME']));
$boardurl = 'http://'.$_SERVER['HTTP_HOST'].preg_replace("/\/+(api|archiver|wap)?\/*$/i", '', substr($PHP_SELF, 0, strrpos($PHP_SELF, '/'))).'/';
取得$_SERVER['PHP_SELF']的最后一个/前的字符串后直接拼入了$boardurl,没做其他处理
在index.php文件的49行:
$rssstatus && $rsshead = '<link rel="alternate" type="application/rss+xml" title="'.$bbname.'" href="'.$boardurl.'rss.php?auth='.$rssauth.'">';
这里调用了$boardurl,
在header.htm中的12行:
<link rel="archives" title="$bbname" href="{$boardurl}archiver/">
$rsshead
这里调输出了$boardurl,同时还有$rsshead,
利用方式:
http://www.discuz.net/index.php/%22%3E%3Cscript%3Ealert('lib3rt3')%3C/script%3E/
解决方法:
$PHP_SELF = $_SERVER['PHP_SELF'] ? $_SERVER['PHP_SELF'] : $_SERVER['SCRIPT_NAME'];
改为:
$PHP_SELF = htmlspecialchars($_SERVER['PHP_SELF'] ? $_SERVER['PHP_SELF'] : $_SERVER['SCRIPT_NAME']);
相关资料在:
http://www.claroline.net/forum/viewtopic.php?t=11920
http://blog.phpdoc.info/archives/13-XSS-Woes.html
