74CMS_wap_user.php_XSS漏洞

文件:/74cms/wap/wapuser.php

45 elseif ($act == 'add_favorites')
46 {
47         require_once(QISHI_ROOT_PATH.'include/fun_personal.php');
48         $id=isset($_GET['id'])?trim($_GET['id']):exit("³ö´íÁË");
49                 $link[0]['text'] = "[·µ»ØÉÏÒ»Ò³]";
50                 $link[0]['href'] = $_SERVER["HTTP_REFERER"];
51                 $link[1]['text'] = "[²é¿´ÊղؼÐ]";
52                 $link[1]['href'] = 'wap_user.php?act=favorites';
53         if(add_favorites($id,$_SESSION['uid'])==0)
54         {
55         WapShowMsg("Ìí¼Óʧ°Ü£¬ÊղؼÐÖÐÒѾ­´æÔÚ´Ëְλ",0,$link);
56         }
57         else
58         {
59         WapShowMsg("Ìí¼Ó³É¹¦",2,$link);
60         }
61 }

乱码就不解释了。第50行Referer没过滤,55行调用了WapShowMsg。WapShowMsg函数的实现:

function WapShowMsg($msg_detail, $msg_type = 0, $links = array())
{
global $smarty;
if (count($links) == 0)
{
$links[0]['text'] = '·µ»ØÉÏÒ»Ò³';
$links[0]['href'] = 'javascript:history.go(-1)';
}
$smarty->assign('ur_here',     'ϵͳÌáʾ');
$smarty->assign('msg_type',    $msg_type);
$smarty->assign('msg_detail',  $msg_detail);
$smarty->assign('links',       $links);
$smarty->assign('default_url', $links[0]['href']);
$smarty->display('wap/wap-showmsg.htm');
exit();
}

看吧,还是没过滤就给模板渲染了,Referer里直接插入JS:

"><script>alert(1)</script>