Jingdong IM web client file upload cause arbitrary JS execution-vulnerability warning-the black bar safety net

2013-03-04T00:00:00
ID MYHACK58:62201337588
Type myhack58
Reporter 佚名
Modified 2013-03-04T00:00:00

Description

In jingdong online customer service system, customer service end of the page you can perform the client to write any JS code.

Process: 1. Customer service access. 2. To upload a picture. 3. Because jingdong to the editor is a contenteditable=true div, so we can be of its contents for editing. 4. In the picture on the Add event

! Here to add an onload, the content is to jump to the days of the cat. 5. Click Send 6. In the network, we check the request content, you will see a message ! Will it go after the code we get

!

Here, we see the picture on the onload event and not be filtered out, in the customer service end will be executed directly.

The customer service terminal staff confirmed the code execution.

! Again found the problem, the chats turned out to be the Memory Bank! In my jingdong on the message Elf, the code output is not filtered

!

Repair solutions:

For user-submitted content to be more strict the filter, the removal in some of the media elements on onload onerror etc. events