hi;
 
All versions of Discuz! have the cross-site vulnerabilities because of the export value of "$referer". 
 
Like: 
Discuz! 7.X
Discuz! 6.X
Discuz! 5.X
Discuz!NT 3.X
and so on.
 
 
There are some htm pages in all versions of Discuz!, that are:
/templates/default/attachpay.htm
/templates/default/ec_rate.htm
/templates/default/register.htm
 
 
These pages have code to export the value of "$referer": <input type="hidden" name="referer" value="$referer" />
 
When the "$referer" include malicious code, these htm pages and the nested php pages will be XSS.
 
 
 
With "register.htm" as an example:
 
 
A user open a URL, and click the "Register" button on the page, this URL will been assigned to "$referer"$B!$(Bthen, "register.htm" export the value of "$referer", at this time, vistors' browser open "register.php" that include this value of "$referer".
 
So, either the URL is dynamic pages or static pages, either the url has xss or not. As long as the URL contains the xss code, the xss will be true.
 
 
 

Attacker just need to find the URL which can contains malicious code, then build the special URL.
with Discuz! 7.0 as an example, the "viewthread.php" can contains malicious code, like : http://www.example.com/viewthread.php?tid=<script>alert(/liscker/);</script> . 
When users visit it , and then , click Register button, XSS has been true, malicious code ware been run.
 
 
 
 
principle of attachpay.htm and ec_rate.htm are same to register.htm.
 

It is not only in discuz!, all the web apps who save referer and export referer maybe have the vulnerabilities.
 
 
 
Liscker
2010.03.24