当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-099024

漏洞标题:凤凰某站漏洞被利用可跳转至任意网站

相关厂商:凤凰网

漏洞作者: 七月的夏天

提交时间:2015-03-03 12:05

修复时间:2015-04-17 12:06

公开时间:2015-04-17 12:06

漏洞类型:URL跳转

危害等级:低

自评Rank:4

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-03-03: 细节已通知厂商并且等待厂商处理中
2015-03-04: 厂商已经确认,细节仅向厂商公开
2015-03-14: 细节向核心白帽子及相关领域专家公开
2015-03-24: 细节向普通白帽子公开
2015-04-03: 细节向实习白帽子公开
2015-04-17: 细节向公众公开

简要描述:

收到一封骗取apple ID密码的邮件,其中假冒apple.com的网址是bc.ifeng.com

详细说明:

收到一封骗apple ID密码的邮件,其中有“查看位置”、“锁定设备”两个超链接,均指向
http://bc.ifeng.com/c?db=ifeng&bid=16277,15962,3436&cid=2501,59,1&sid=33869&advid=349&camid=3546&show=ignore&url=http://jjhlhlhlkjh.4324554.bjyqttc.com
用curl -L -v 访问上述网址,发现ifeng.com未经任何互动就给出了跳转到querystring里指定的网址的302响应。

漏洞证明:

$ curl -L -v 'http://bc.ifeng.com/c?db=ifeng&bid=16277,15962,3436&cid=2501,59,1&sid=33869&advid=349&camid=3546&show=ignore&url=http://jjhlhlhlkjh.4324554.bjyqttc.com'
* Hostname was NOT found in DNS cache
*   Trying 223.203.209.172...
* Connected to bc.ifeng.com (223.203.209.172) port 80 (#0)
> GET /c?db=ifeng&bid=16277,15962,3436&cid=2501,59,1&sid=33869&advid=349&camid=3546&show=ignore&url=http://jjhlhlhlkjh.4324554.bjyqttc.com HTTP/1.1
> User-Agent: curl/7.37.1
> Host: bc.ifeng.com
> Accept: */*
>
< HTTP/1.1 302 Found
< Date: Mon, 02 Mar 2015 02:46:23 GMT
* Server Apache is not blacklisted
< Server: Apache
< P3P: CP="OTI PSA OUR"
< Set-Cookie: ALLYESID4=EE128B79CD88D545 ; expires=Wednesday, 02-Nov-2099 00:00:00 GMT ; path=/ ; domain=.allyes.com
< Set-Cookie: ALLYESSESSION1=394f55f9cd88d; path=/; domain=.allyes.com
< Location: /c?db=ifeng&bid=16277,15962,3436&cid=2501,59,1&sid=33869&advid=349&camid=3546&show=ignore&url=http://jjhlhlhlkjh.4324554.bjyqttc.com&`
< Content-Length: 0
< Connection: close
< Content-Type: text/plain
<
* Closing connection 0
* Issue another request to this URL: 'http://bc.ifeng.com/c?db=ifeng&bid=16277,15962,3436&cid=2501,59,1&sid=33869&advid=349&camid=3546&show=ignore&url=http://jjhlhlhlkjh.4324554.bjyqttc.com&`'
* Hostname was found in DNS cache
*   Trying 223.203.209.172...
* Connected to bc.ifeng.com (223.203.209.172) port 80 (#1)
> GET /c?db=ifeng&bid=16277,15962,3436&cid=2501,59,1&sid=33869&advid=349&camid=3546&show=ignore&url=http://jjhlhlhlkjh.4324554.bjyqttc.com&` HTTP/1.1
> User-Agent: curl/7.37.1
> Host: bc.ifeng.com
> Accept: */*
>
< HTTP/1.1 302 Found
< Date: Mon, 02 Mar 2015 02:46:23 GMT
* Server Apache is not blacklisted
< Server: Apache
< Set-Cookie: ALLYESID4=09B7047ED0B94594 ; expires=Wednesday, 02-Nov-2099 00:00:00 GMT ; path=/ ; domain=.ifeng.com
< Location: http://jjhlhlhlkjh.4324554.bjyqttc.com
< Cache-Control: no-cache,must-revalidate
< P3P: CP="OTI PSA OUR"
< Pragma: no-cache
< Expires: -1
< Content-Length: 0
< Connection: close
< Content-Type: text/plain
<
* Closing connection 1
* Issue another request to this URL: 'http://jjhlhlhlkjh.4324554.bjyqttc.com'

修复方案:

版权声明:转载请注明来源 七月的夏天@乌云

漏洞回应

厂商回应:

危害等级:低

漏洞Rank:2

确认时间:2015-03-04 13:35

厂商回复:

非常感谢,我们正在处理。

最新状态:

暂无