Taobao TaoBao. Com few upload filter is not strict-vulnerability warning-the black bar safety net

2010-12-31T00:00:00
ID MYHACK58:62201028729
Type myhack58
Reporter 佚名
Modified 2010-12-31T00:00:00

Description

|

The swf upload is not strictly limited. Lead can to the Main Domain Name within the uploaded swf file. swf upload the harm is too large. There is not much to do to explain. In addition. There are a few fck. You can still upload the disguise of the png swf. (Regardless of the extension. Just add the flash tags,you can perform the flash script)

<http://tianxia.taobao.com/uploadfile/2010/1222/20101222101004357.swf>

<embed height="1 5 0" width="9 5 0" type="application/x-shockwave-flash" src="http://tianxia.taobao.com/uploadfile/2010/1224/20101224072517201.png" quality="high" allowscriptaccess="always" wmode="transparent" />

http://www.tbtianxia.com/attachment.php?&action=upload&module=phpcms&from=fckeditor&id=2&dosubmit=2 3&MM_objid=content

http://design.taobao.com/shop/designShop.htm?action=page/TagAction&event_submit_do_upLoadFlashBanner=true&userId=xxxx&flashPath=http://img. uu1001. cn/materials/original/2010-06-14/12-29/1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1. png&flash_sid=0 0 0 0 0 0 0 0 0&productId=0 0 0 0&sign=xxxxxxxxxxxxxxxxxxxxxx& http://banner.alimama.com/wangpu/apply_design?coop_id=superwangpu&flash_path=http://img. uu1001. cn/materials/original/2010-06-14/12-29/1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1. png&ad_board_id=1 1 1 1 1 1 1 1 1&templet_id=1 1 1 1 1&person_id=1 1 1 1 1 1&is_ordered=0&is_b2c=0&apt=aboard Where sensitive personal data, I replace them. Fear of being a social worker.

In addition,shop background here. flashpath= can be casually applied. The course is cross-not the img. uu1001. cn. But after the test. flashpath= pic url,&before the end of the can still inject code.

There is little,really don't understand,why the shop back there,completely is a get operation. And are basically plain text.

Author: dbgger