TaoBao. Com uploading and filtering are lax and fixed

There are no strict restrictions on swf uploading. As a result, swf files can be uploaded to the primary domain name.
Swf upload is too harmful. I will not explain it here.
There are several fck files that can still be uploaded to swf files disguised as png. (no matter what the extension is, You can execute flash scripts by adding the flash tag)

Http://tianxia.taobao.com/PreviousFile/2010/1222/20101222101004357.swf

 

<Embed height = "150" width = "950" type = "application/x-shockwave-flash" src = "" quality = "high" allowscriptaccess = "always" wmode =" transparent "/>

Dosubmit = 23 & MM_objid = content "> http://www.tbtianxia.com/attachment.php? & Action = upload & module = phpcms & from = fckeditor & id = 2 & dosubmit = 23 & MM_objid = content

Http://design.taobao.com/shop/designShop.htm? Action = page/TagAction & event_submit_do_upLoadFlashBanner = true & userId = xxxx & flashPath = http://img.uu1001.cn/materials/original/2010-06-14/12-29/11111111111111111111.png&flash_sid=000000000&productId=0000&sign=xxxxxxxxxxxxxxxxxxxxxx &
Http://banner.alimama.com/wangpu/apply_design? Coop_id = superwangpu & flash_path = http://img.uu1001.cn/materials/original/2010-06-14/12-29/11111111111111111111.png&ad_board_id=111111111&templet_id=11111&person_id=111111&is_ordered=0&is_ B2C =0&apt=aboard
I replaced my personal sensitive data here for fear of being attacked by social engineering.

In addition, the store background here. flashpath = can be applied casually. Of course, it cannot be used across img.u1001.cn.
However, after testing. flashpath = pic url, the code can still be injected before.

Another point is that I really don't understand why all the get operations at the store backend are in plain text.

 

Author: dbgger