乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-04-24: 细节已通知厂商并且等待厂商处理中 2015-04-24: 厂商已经主动忽略漏洞,细节向公众公开
POST类型,无token,无referer人证.
http://bbs.uc.cn/home.php?mod=spacecp修改资料处
<form target="frame_profile" enctype="multipart/form-data" method="post" action="http://bbs.uc.cn/home.php?mod=spacecp&ac=profile&op=base"><input type="hidden" name="formhash" value="6a12255c"><table cellspacing="0" cellpadding="0" id="profilelist" class="tfm"><tbody><tr><th>用户名</th><td>assfffg</td><td> </td></tr><tr id="tr_realname"><th id="th_realname">真实姓名</th><td id="td_realname"><input type="text" tabindex="1" value="sss" class="px" id="realname" name="realname"><div id="showerror_realname" class="rq mtn"></div><p class="d"></p></td><td class="p"><select name="privacy[realname]"><option selected="selected" value="0">公开</option><option value="1">好友可见</option><option value="3">保密</option></select></td></tr><tr id="tr_gender"><th id="th_gender">性别</th><td id="td_gender"><select tabindex="1" class="ps" id="gender" name="gender"><option value="0">保密</option><option selected="selected" value="1">男</option><option value="2">女</option></select><div id="showerror_gender" class="rq mtn"></div><p class="d"></p></td><td class="p"><select name="privacy[gender]"><option selected="selected" value="0">公开</option><option value="1">好友可见</option><option value="3">保密</option></select></td></tr><tr id="tr_birthday"><th id="th_birthday">生日</th><td id="td_birthday"><select tabindex="1" onchange="showbirthday();" class="ps" id="birthyear" name="birthyear"><option value="">年</option><option selected="" value="2015">2015</option><option value="2014">2014</option><option value="2013">2013</option><option value="2012">2012</option><option value="2011">2011</option><option value="2010">2010</option><option value="2009">2009</option><option value="2008">2008</option><option value="2007">2007</option><option value="2006">2006</option><option value="2005">2005</option><option value="2004">2004</option><option value="2003">2003</option><option value="2002">2002</option><option value="2001">2001</option><option value="2000">2000</option><option value="1999">1999</option><option value="1998">1998</option><option value="1997">1997</option><option value="1996">1996</option><option value="1995">1995</option><option value="1994">1994</option><option value="1993">1993</option><option value="1992">1992</option><option value="1991">1991</option><option value="1990">1990</option><option value="1989">1989</option><option value="1988">1988</option><option value="1987">1987</option><option value="1986">1986</option><option value="1985">1985</option><option value="1984">1984</option><option value="1983">1983</option><option value="1982">1982</option><option value="1981">1981</option><option value="1980">1980</option><option value="1979">1979</option><option value="1978">1978</option><option value="1977">1977</option><option value="1976">1976</option><option value="1975">1975</option><option value="1974">1974</option><option value="1973">1973</option><option value="1972">1972</option><option value="1971">1971</option><option value="1970">1970</option><option value="1969">1969</option><option value="1968">1968</option><option value="1967">1967</option><option value="1966">1966</option><option value="1965">1965</option><option value="1964">1964</option><option value="1963">1963</option><option value="1962">1962</option><option value="1961">1961</option><option value="1960">1960</option><option value="1959">1959</option><option value="1958">1958</option><option value="1957">1957</option><option value="1956">1956</option><option value="1955">1955</option><option value="1954">1954</option><option value="1953">1953</option><option value="1952">1952</option><option value="1951">1951</option><option value="1950">1950</option><option value="1949">1949</option><option value="1948">1948</option><option value="1947">1947</option><option value="1946">1946</option><option value="1945">1945</option><option value="1944">1944</option><option value="1943">1943</option><option value="1942">1942</option><option value="1941">1941</option><option value="1940">1940</option><option value="1939">1939</option><option value="1938">1938</option><option value="1937">1937</option><option value="1936">1936</option><option value="1935">1935</option><option value="1934">1934</option><option value="1933">1933</option><option value="1932">1932</option><option value="1931">1931</option><option value="1930">1930</option><option value="1929">1929</option><option value="1928">1928</option><option value="1927">1927</option><option value="1926">1926</option><option value="1925">1925</option><option value="1924">1924</option><option value="1923">1923</option><option value="1922">1922</option><option value="1921">1921</option><option value="1920">1920</option><option value="1919">1919</option><option value="1918">1918</option><option value="1917">1917</option><option value="1916">1916</option></select> <select tabindex="1" onchange="showbirthday();" class="ps" id="birthmonth" name="birthmonth"><option value="">月</option><option selected="" value="1">1</option><option value="2">2</option><option value="3">3</option><option value="4">4</option><option value="5">5</option><option value="6">6</option><option value="7">7</option><option value="8">8</option><option value="9">9</option><option value="10">10</option><option value="11">11</option><option value="12">12</option></select> <select tabindex="1" class="ps" id="birthday" name="birthday"><option value="">日</option><option value="1">1</option><option selected="" value="2">2</option><option value="3">3</option><option value="4">4</option><option value="5">5</option><option value="6">6</option><option value="7">7</option><option value="8">8</option><option value="9">9</option><option value="10">10</option><option value="11">11</option><option value="12">12</option><option value="13">13</option><option value="14">14</option><option value="15">15</option><option value="16">16</option><option value="17">17</option><option value="18">18</option><option value="19">19</option><option value="20">20</option><option value="21">21</option><option value="22">22</option><option value="23">23</option><option value="24">24</option><option value="25">25</option><option value="26">26</option><option value="27">27</option><option value="28">28</option><option value="29">29</option><option value="30">30</option><option value="31">31</option></select><div id="showerror_birthday" class="rq mtn"></div><p class="d"></p></td><td class="p"><select name="privacy[birthday]"><option selected="selected" value="0">公开</option><option value="1">好友可见</option><option value="3">保密</option></select></td></tr><tr id="tr_birthcity"><th id="th_birthcity">出生地</th><td id="td_birthcity">天津市 (<a onclick="showdistrict('birthdistrictbox', ['birthprovince', 'birthcity', 'birthdist', 'birthcommunity'], 4, '', 'birth'); return false;" href="javascript:;">修改</a>)<p id="birthdistrictbox"></p><div id="showerror_birthcity" class="rq mtn"></div><p class="d"></p></td><td class="p"><select name="privacy[birthcity]"><option selected="selected" value="0">公开</option><option value="1">好友可见</option><option value="3">保密</option></select></td></tr><tr id="tr_residecity"><th id="th_residecity">居住地</th><td id="td_residecity">天津市 (<a onclick="showdistrict('residedistrictbox', ['resideprovince', 'residecity', 'residedist', 'residecommunity'], 4, '', 'reside'); return false;" href="javascript:;">修改</a>)<p id="residedistrictbox"></p><div id="showerror_residecity" class="rq mtn"></div><p class="d"></p></td><td class="p"><select name="privacy[residecity]"><option selected="selected" value="0">公开</option><option value="1">好友可见</option><option value="3">保密</option></select></td></tr><tr id="tr_affectivestatus"><th id="th_affectivestatus">情感状态</th><td id="td_affectivestatus"><input type="text" tabindex="1" value="s" class="px" id="affectivestatus" name="affectivestatus"><div id="showerror_affectivestatus" class="rq mtn"></div><p class="d"></p></td><td class="p"><select name="privacy[affectivestatus]"><option selected="selected" value="0">公开</option><option value="1">好友可见</option><option value="3">保密</option></select></td></tr><tr id="tr_lookingfor"><th id="th_lookingfor">交友目的</th><td id="td_lookingfor"><input type="text" tabindex="1" value="s" class="px" id="lookingfor" name="lookingfor"><div id="showerror_lookingfor" class="rq mtn"></div><p class="d"></p></td><td class="p"><select name="privacy[lookingfor]"><option selected="selected" value="0">公开</option><option value="1">好友可见</option><option value="3">保密</option></select></td></tr><tr id="tr_bloodtype"><th id="th_bloodtype">血型</th><td id="td_bloodtype"><select tabindex="1" class="ps" id="bloodtype" name="bloodtype"><option value="A">A</option><option selected="selected" value="B">B</option><option value="AB">AB</option><option value="O">O</option><option value="其它">其它</option></select><div id="showerror_bloodtype" class="rq mtn"></div><p class="d"></p></td><td class="p"><select name="privacy[bloodtype]"><option selected="selected" value="0">公开</option><option value="1">好友可见</option><option value="3">保密</option></select></td></tr><tr id="tr_field1"><th id="th_field1">手机型号</th><td id="td_field1"><input type="text" tabindex="1" value="a" class="px" id="field1" name="field1"><div id="showerror_field1" class="rq mtn"></div><p class="d"></p></td><td class="p"><select name="privacy[field1]"><option selected="selected" value="0">公开</option><option value="1">好友可见</option><option value="3">保密</option></select></td></tr><tr><th> </th><td colspan="2"><input type="hidden" value="true" name="profilesubmit"><button class="pn pnc" value="true" id="profilesubmitbtn" name="profilesubmitbtn" type="submit"><strong>保存</strong></button><span class="rq" id="submit_result"></span></td></tr></tbody></table></form>
token或者判断referer
危害等级:无影响厂商忽略
忽略时间:2015-04-24 13:08
白帽子:您好!由于表单中的formhash是动态的而且还有时效性,首先要拿到用户的formhash才行,CSRF被利用的条件比较高,因此暂时忽略该漏洞,非常感谢关心UC安全!
暂无
