Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:23452
HistoryMar 24, 2010 - 12:00 a.m.

"$referer" export lead to the cross-site flaws in all versions of Discuz!

2010-03-2400:00:00
vulners.com
16
JSON

hi;

All versions of Discuz! have the cross-site vulnerabilities because of the export value
of "$referer".

Like:
Discuz! 7.X
Discuz! 6.X
Discuz! 5.X
Discuz!NT 3.X
and so on.

There are some htm pages in all versions of Discuz!, that are:
/templates/default/attachpay.htm
/templates/default/ec_rate.htm
/templates/default/register.htm

These pages have code to export the value of "$referer": <input type="hidden"
name="referer" value="$referer" />

When the "$referer" include malicious code, these htm pages and the nested php pages
will be XSS.

With "register.htm" as an example:

A user open a URL, and click the "Register" button on the page, this URL will been
assigned to "$referer"$B!$(Bthen, "register.htm" export the value of "$referer", at
this time, vistors' browser open "register.php" that include this value of "$referer".

So, either the URL is dynamic pages or static pages, either the url has xss or not. As
long as the URL contains the xss code, the xss will be true.

Attacker just need to find the URL which can contains malicious code, then build the
special URL.
with Discuz! 7.0 as an example, the "viewthread.php" can contains malicious code, like
: http://www.example.com/viewthread.php?tid=&lt;script&gt;alert&#40;/liscker/&#41;;&lt;/script&gt; .
When users visit it , and then , click Register button, XSS has been true, malicious
code ware been run.

principle of attachpay.htm and ec_rate.htm are same to register.htm.

It is not only in discuz!, all the web apps who save referer and export referer maybe
have the vulnerabilities.

Liscker
2010.03.24

JSON