The system allows the upload of the xml file may lead to xss-vulnerability warning-the black bar safety net

2015-05-18T00:00:00
ID MYHACK58:62201562528
Type myhack58
Reporter 佚名
Modified 2015-05-18T00:00:00

Description

the xml file may contain an xml-stylesheet tag is used to specify an xsl file to the xml file format and output. In the xsl output of the process, you can output any html code, including the<scrip>tag。。。。 That you can bomb alert.

However, the xml formatted script permissions is relatively small, many of the operations are not carried out。。。。 However, I think it does not affect as fishing and the like purposes.

To use this alert, I see, you want to satisfy two conditions

1, so that the browser thinks the output is a xml, and insert some code in this condition everyone to see for yourself

2, to meet the cognate rule under the conditions, producing one that meets the xsl format of the output page. Whether you upload a picture is also good, no filtration is also good.

I think, for this thing of use, it should be Basic to focus on the upload.

Remember before a house Internet company is to allow users to upload a custom xml file for the user space configuration, and then visually a lot of the Forum should also be allowed to upload the xml file

The most harsh nature, is some of the input is not filtered, output directly, and set the conten-type for xml some ajax callback interface.

The following is the bomb alert of the code, The rest of the We want to how to use.

alert.xml

code area

<? xml version="1.0" encoding="iso-8 8 5 9-1"?><? xml-stylesheet type="text/xsl" href="test.jpg"?>< test></test>

test.jpg

code area

<? xml version="1.0" encoding="iso-8 8 5 9-1"?> <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> <xsl:template match="/"> <html><body> <script>alert(/hacked by xsser/);</script> </body></html> </xsl:template> </xsl:stylesheet>

Vulnerability proof:

chrome's alert

Remember before a house Internet company is to allow users to upload a custom xml file for the user space configuration,and now can't find the upload point.

Then visually many of the Forum should also be allowed to upload the xml file

the xml file specified in the xsl file did not expand the name and the content-type request ff, ie test pass

Repair solutions:

Prohibit the user to upload the xml file

For the input to output XML operation, the filter of the

Ball a Baidu cloud phone