About Tencent customer service open platform of the 2 vulnerability+subsidiary vulnerabilities 1-vulnerability warning-the black bar safety net

2013-01-09T00:00:00
ID MYHACK58:62201336632
Type myhack58
Reporter 佚名
Modified 2013-01-09T00:00:00

Description

Vulnerability name: Tencent customer service open platform backend bypass

A, detailed description: The login section by noPermiss(js)

http://347.kf.ieodopen.qq.com/admin/js/index.js?v=20121007

Because*. kf. ieodopen. qq. com domain name the opening number represents the application number so I think it belongs to the framework of vulnerability, for example 1. kf. ieodopen. qq. com also the presence of this vulnerability:)

JavaScript

|

1

2

3

4

5

6

7

8

9

1 0

1 1

1 2

1 3

1 4

1 5

1 6

1 7

1 8

1 9

2 0

2 1

2 2

2 3

2 4

2 5

2 6

|

kfadmin. checkLogin = function() {

if (top. kfadmin. isLogin == true) return;

top. kfadmin. isLogin = 'on';

var loginCallback = new Callback("login");

loginCallback. deal = function() {

$("#pdtName", top. kfadmin. headerFrameDoc). html(this. result. obj. sOfferName);

$("#pdtName", top. kfadmin. headerFrameDoc)[0]. title = this. result. obj. sOfferName;

if (~~this. result. obj. isLogin == 1) {

top. document. getElementById("total_frame"). rows = "8 0,*";

top. kfadmin. isLogin = true;

top. kfadmin. sUin = this. result. obj. sUin;

$("#spnLogout", kfadmin. headerFrameDoc). html("Hello!" + this. result. obj. sNickName + "(" + this. result. obj. sUin + ")");

$("#pLogin", top. kfadmin. headerFrameDoc). hide();

$("#pLogout", kfadmin. headerFrameDoc). show();

<strong> if (~~this. result. obj. noPermiss == 1) {</strong>

alert("sorry, you do not have operate background permissions!");

top. window. location. href = "/";

top. kfadmin. noPermiss = true;

return false;

}

} else {

top. kfadmin. isLogin = false;

$("#pLogout", kfadmin. headerFrameDoc). hide();

$("#pLogin", top. kfadmin. headerFrameDoc). show();

}

}

---|---

[1] [2] [3] next