百度视频一个flash直接调用js函数,但是过滤不严格,导致存在跨站漏洞,测试URL为:?funcGetData=alert(document.cookie)。

细节:

private function readParmas()
1548           {
1549               var loc0:* = null;
1550               var loc1:* = null;
1551               loc0 = loaderInfo.parameters;
1552               if(loc0.hasOwnProperty("funcGetData"))
1553               {
1554                   this.FuncGetData = loc0["funcGetData"];
1555               }
1556               else
1557               {
1558                   this.FuncGetData = "getData";
1559               }
1560               loc1 = new Fade();
1561               loc1.duration = 500;
1562               loc1.startAlpha = 0.4;
1563               addSwap(loc1);
1564               return;
1565              
1566           }
1567           private function readDataNow()
1568           {
1569               var loc0:* = null;
1570               var loc1:* = null;
1571               var loc2:* = 0;
1572             loc0 = ExternalInterface.call(this.FuncGetData);

修复方案:

严格过滤